November  2007  $9.00 


Will  infosec 
vendors  jump  out 
of  the  pool?  PAGE  36 


the  watchers 

TheCSOwho 
accidentally  stole 
software  PAGE  44 


Mnir 


psmran 


ImRfifiTnr 


IttlltHliM. 

OlllMMHf 


iiimtimii 

imtttftitrj 
,  MlllMlllllj 


rtlOHM. 


MttimtWH, 

ffilMiHlllWj 


iiiiiimiti. 
1 1  H  •  HIM  It . 

' .  53 

MIUlIttMi. 


P>»u> 

IIMMI" 


MtttlMtltli 
i  iittttittiW,! 

mk'hhml 


tlHHmiHii 


IBM,  the  IBM  logo,  System  z  and  Tivoli  are  registered  trademarks  of  International  Business  Machines 
Corporation  in  the  United  States  and/or  other  countries.  ©2007  IBM  Corporation.  All  rights  reserved. 


.INFRASTRUCTURE  LOG 


_DAY  25:  Our  ad  hoc  security  solutions  are  out  of  control. 
We’re  not  prepared  for  new  threats.  We’re  always  playing 
catch-up.  We’re  leaving  ourselves  vulnerable  and  exposed. 

.Gil’s  had  a  security  epiphany:  high-powered  lasers. 
They’re  everywhere.  I  keep  zapping  myself  as  I  type. 

.DAY  26:  I’m  taking  back  control  with  an  end-to-end  security 
solution  from  IBM.  Their  security  service  experts  can 
come  in  and  help  us  assess  our  security  needs.  IBM  Tivoli® 
helps  us  monitor  and  respond  to  threats  while  managing 
access  to  our  critical  information.  And  the  IBM  System  z™ 
mainframe’s  encryption  and  multilevel  security  features 
are  legendary. 

.That’s  great.  But  it  won’t  bring  back  my  left  sideburn. 


IBM.COM/TAKEBACKCONTROL/SECURITY 


November  2007  Vol.  6,  No.  10 


Features... 


26  Securing  the 
Suburban  High 
School 

Cover  |  Physical  Security  These 
days,  when  towns  approve  funding  for 
new  high  schools  they  demand  trendy 
architects,  high-end  sports  complexes 
and  security.  Of  course,  demanding 
security  has  virtually  nothingto  do 
with  making  it  effective... 

By  Scott  Berinato 

36  Troubled  Waters 

Information  Security  The  churn 
and  froth  in  the  infosec  industry  never 
ends,  as  vendors  consolidate,  spin  off 
and  reposition.  By  La  wrenceM.  Walsh 

40  Connecting 
the  Dots 

Disaster  Preparedness  Former 
DHS  leaderTom  Ridge  talks  about  the 
practicals  of  communication  and  col¬ 
laboration.  By  Katherine  Walsh 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  debate 
software  risks. 

12  Toolbox 

Identity  Management 

101  Identity  management 
can  start  small,  but  full-blown 
IDM  projects  comprise  many 
different  pieces. 
ByMaryBrandel 

17  Briefing 

PDF  vulnerabilities;  RFID 
makes  animal  cloning  easy; 
2007  E-Crime  Watch  Survey; 
Campus  crisis  response; 
Vascular  scanning  in  FHalifax; 
Five  things  to  remember  when 
working  after  hours;  Monitor¬ 
ing  perimeter  fences;  Q&A 
with  Cryptography  Research’s 
Paul Kocher 


44  Watching  the  Watchers 
Undercover  Even  the  best 
security  staff  is  not  above 
making  costly  mistakes. 

46  The  Risk  Portfolio 
Industry  View  A  more 
holistic  approach  to 
risk  management  pays 
off.  By  David  Lawson 
and  Donita  Prakash 

48  Debriefing 

Thanksgiving  Security 


CSO(ISSN1540-904X)ispublishedmonthlyexceptforacombinedissueinJuly/AugustandDecember/JanuarybyCXOMedialnc..4920ldConnecticut  Path.P.O.  Box 9208.  Framingham,  MA01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copytoP.O.  Boxl632.Windsor.OIMN9A7C9.Copyright2007by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearinginCSOisforbidden  without  written  permission.  Permission  to  photocopyfor  internal  or  personal  use  ortheinternalorpersonaluseof  specific  clients  is  granted 
by  CSOforusersthroughtheCopyrightClearanceCenter,  providedthatafee  of  $3.50  percopy  of  the  article  is  paiddirectly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  MA  01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904x,  Permission  to  photocopy  does  not  extend  to  contributed  articles-followed  by  this  symbol:  t.  Address  inquiries  to  CSO,  P.O.Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSOisfree  toqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  November  2007 


Cover  photo  by  Furnald/Gray 


Vance  Uniformed  Protection  is  now  Garda 

A  new  name  for  the  security  team  you  know  &  trust 


Consistent  service  Experienced  team  Exceptional  value  Reduced  risk  Peace  of  mind 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Rigorous  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements 
yield  consistent,  reliable  services  that  reduce  risk  and  deter  criminal 
activity.  Now  part  of  Garda,  Vance  Uniformed  Protection  continues 
to  deliver  unsurpassed  value,  maximizing  client  budgets  by  offering 
superior  security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women — 
from  the  company’s  seasoned  management  team  to  its  experienced 
security  officers — provide  exceptional  value  and  service  with  a 
total  commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs  and  the  same 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


GARDA 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgrade  your  security  program,  gardasecurity.com 


FORMERLY  VANCE 


[  FROM  THE  EDITOR] 


Building  It  In 

That’s  the  goal,  right?  To  build  security  in. 
Build  it  into  business  plans  and  processes, 
build  it  into  employees’  daily  work  habits, 
build  it  into  the  network.  Easier  said  than 
done,  as  you  all  know  so  well.  But  at  the  A5IS 
convention  in  Las  Vegas,  I  got  a  better  vision 
of  building  security  in-heavy  emphasis  on  the 
word  building. 

I  generally  hate  trade  shows,  truth  be  told, 
but  I  love  the  A5IS  event-even  the  show  floor 
part.  As  one  attendee  said,  you  truly  get  the 
sense  that  security  is  a  dynamic  industry  in  the 
throes  of  change.  One  of  the  changes  was  the 
notable  presence  of  IBM  and  Cisco,  artists  for¬ 
merly  known  as  IT  companies.  Their  presence 
merely  confirms  for  the  thousandth  time  that 
IT  security  is  security  and  physical  security 
is  security.  It’s  all  security.  (On  another  aisle 
you  could  see  Lenel’s  new  slogan,  “Welcome 
IT...we’ve  been  waiting  for  you.”  Hard  to  tell 
whether  IT  folks  will  take  that  as  a  handshake 
ora  backhand.) 

But  while  the  digital/physical  confluences 
have  gotten  a  lot  of  airtime  in  the  past  few 
years,  there’s  another  trend  afoot  with  less 
ink  but  perhaps  just  as  much  significance.  I 
met  with  Red  Hawk,  UTC’s  newly  reorganized 
systems  integration  unit,  and  our  discussion 
veered  to  whether  their  new  setup  brings 
them  into  competition  with  a  new  set  of 
companies.  I  mentioned  Johnson  Controls  and 
Siemens  Building  Technologies,  noting  that 
their  presence  in  the  very  core  of  so  many 
facilities  might  provide  a  nice  point  of  leverage 
with  their  customers  when  it  comes  to  further 
integrating  security  systems.  Antonio  Cintra, 
president  of  Red  Hawk  (and  some  affiliated 


UTC  businesses),  responded  that  this  is  indeed 
a  trend  “in  its  infancy”— the  better  coordina¬ 
tion  of  security,  safety  and  facilities  systems. 
He  also  noted  that  with  other  business  units, 
including  Carrier  (HVAC)  and  Otis  (elevators), 
UTC  is  “in  the  building  as  early  as  anybody.” 

Obviously  there  are  other  vendors  with 
a  play  in  this  trend,  including  Honeywell  and 
Schneider  Electric  (Schneider  has  in  the  past 
year  acquired  both  surveillance  vendor  Pelco 
and  building  systems  management  purveyor 
TAC).  Now  it’s  one  thing  to  have  a  bunch  of 
business  units  and  another  to  truly  integrate 
their  offerings.  But  the  potential  is  there  and 
given  the  number  of  players  showing  interest, 

I  think  we’ll  continue  to  see  security  better  and 
better  built  in. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Managing  Editor  Sarah  D.  Scaiet 
Associate  Staff  Writer 
Katherine  Walsh 
Copv  Chief  Dave  Gradijan 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 

Jill  Paquette 

Contributors  Kathleen  S.  Carr, 

Rick  Cook,  Daintry  Duffy,  Jeff  Jones, 
Chad  McDonald,  Robert  McMillan, 
Michael  Overly 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Meridith  Levinson,  Shawna  McAlearney, 
Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


i  n  c. 


INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 

Bob  Carrigan 


#BRA 


WORLDWIDE" 


4  www.csoonline.com  November  2007 


Photo  by  Webb  Chappell 


We’ve  given  online  security  a  whole  new  color. 

Before  another  visitor  abandons  your  site,  consider 
why  sites  like  eBay®  Travelocity?  and  Charles 
Schwab®  use  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates.  This  new  technology  turns  the  address 
bar  in  high-security  browsers  green,  indicating  it’s 
safe  to  transact  on  a  site.  That’s  the  power  of  the 
Web’s  most  trusted  name  in  security.  VeriSign. 

So  the  world  can:  proceed  securely  to  checkout. 


Get  your  free  EV  white  paper  at  www.verisign.com/dm/evssl  or  call  1-866-893-6565. 


©2007  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  checkmark  circle,  VeriSign  Secured,  and  other 
trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in 
the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  PUBLISHER  ] 


Getting  the 
Message  Across 


It  isn’t  always  easy  to  get  your  message  of 
security  and  risk  across  to  your  constitu¬ 
ents.  Sometimes  it’s  damn  near  impossible. 
As  security  professionals,  people  often 
think  of  you  as  paranoid  (as  I  have  often  admit¬ 
ted  to  being  in  this  column)...the  executive  who 
is  always  looking  at  the  bad  side  of  things  and 
anticipating  the  worst.  And  sometimes  your 
message  is  twisted  and  changed  into  some¬ 
thing  you  never  intended.  Often  those  doing 
the  twisting  have  the  best  intentions;  they  just 
aren’t  in  possession  of  all  the  facts. 

Security  is  a  funny  thing.  Some  people 
embrace  it  while  others  fear  it.  In  my  October 
column  I  discussed  the  risk  of  complacency 
invading  what  we  used  to  call  “mahogany 
row”-the  executive  corridors  of  power.  In 
addition  to  complacency,  there  are  two  other 
deadly  sins  of  selling  security:  the  morph¬ 
ing  of  security  practices  and  policies  that  is 
forced  upon  organizations  in  an  attempt  to 
make  security  more  “palatable”  or  effective, 
and  what  we  affectionately  refer  to  as  CYA,  or 
“Cover  Your  A**.”  I’ll  address  the  first  here  and 
the  second  next  month. 

I  had  the  good  fortune  a  few  years  back  to 
attend  a  seminar  on  predictive  profiling  and 
terrorist  threat  mitigation  at  the  invitation 
of  Amotz  Brandes  of  Chameleon  Associ¬ 
ates.  The  seminar  was  a  precursor  session 
to  a  training  program  run  by  Chameleon 
( www.chameleonassociates.com ),  an  organiza¬ 
tion  that  included  former  security  from  El  Al 
Airlines.  Duringthis  program,  Tomer  Benito 
taught  our  class  of  25  or  so  to  think  like  terror¬ 
ists.  To  plan  like  they  do.  To  see  the  simplicity 
in  what  they  do.  And,  ultimately,  to  understand 
the  interview  technique  used  by  El  Al  security 
to  screen  passengers  by  identifying  suspi¬ 
cious  indicators  and  trying  to  eliminate  those 
indicators  through  a  customer  service-style 
interview. 


This  effective  technique  has  been  adopted 
around  the  world.  But  some  organizations 
in  the  U.S.  have  changed  this  model  to  focus 
on  analyzing  facial  cues  for  signs  of  decep¬ 
tion  as  opposed  to  focusing  on  the  interview 
technique  itself.  In  some  cases  they  even  use 
armed,  uniformed  personnel  to  conduct  the 
interviews,  immediately  putting  interviewees 
on  the  defensive.  Sometimes  it’s  best  to  leave 
something  that  already  works  well  alone. 

Earlier  this  year,  Benito,  having  left 
Chameleon  Associates,  authored  a  novel  that 
incorporates  the  best  practices  he  teaches. 
Rain  for  the  l/Wc/cedis  a  thrilling  and  engag¬ 
ing  tale  that  entertains  even  as  it  teaches  the 
reader  the  basics  of  deterrence.  While  it  show¬ 
cases  many  of  the  institutional  challenges  that 
security  professionals  encounter,  it  also  vividly 


describes  exactly  what  we  are  up  against. 

For  those  executives  who  believe  the 
threat  has  gone  away,  who  believe  they  can 
improve  tried-and-true  security  programs, 
and  even  for  those  focused  on  CYA,  Rain  for  the 
Wicked  is  a  great  stocking  stuffer.  Knowledge, 
awareness  and  understanding  of  threats  are 
how  you  will  overcome  the  three  deadly  sins  of 
selling  risk  management. 

-Bob  Bragdon,  bbragdon@icxo.com 


Advertiser  Index 

CXO  Media  Inc.  . . . 

. ...  25,  43,  47 

Intel  Corp . 

. 9 

ADT  Security  Services  Inc.  .. 

....7 

Cyveillance . 

. C3 

Isabella  Stewart  Gardner 

ASIS  International  . 

, . .  .11 

Garda . 

. 3 

Museum  . 

. ...  16 

BigFix,  Inc . 

...23 

HIDCorp . 

. 21 

RSA  Security  Inc . 

.  .14, 15 

CA  . 

,  ..C4 

IBM  Corp . 

. C2,  35 

Unisys  Corp . 

. ...  19 

Verisign  Inc . 5 


Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 

Roz  Burke 

West  Coast  Regional  Manager 

Drew  Seifried 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 
Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialist 
Valerie  Sumner 
Online  Advertising  Specialist 

Irina  Gabechiia 

Online  Account  Services  Coordinator 

Hayley  Nickerson 

CSO  EXECUTIVE  COUNCIL 

Managing  Director  Bob  Hayes 
VP,  Research  and  Product 
Development  Kathleen  Kotwica 
Director,  IT  and  Product  Technology 

Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 

Elizabeth  Lancaster 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs  Ellen  Daly 
Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

National  Sales  Manager  Per  Melker 
Senior  Conference  Producer 
Judith  Kittredge 
Event  Planner  Sarah  Reagan 
Event  Coordinator  Bethany  Whiffin 
Registration  Specialist  Cress  O'Brien 
Client  Services  Specialist  Erica  Foster 
Sales  Associate  Nicole  Blackburn 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Subscription  Services  Supervisor 

Tina  Pescara 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponefSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
Reprint  Management  Services  at 
800  290-5460,  ext.  100,  or  e-mail 
csofSreprintbuver.com 


6  www.csoonline.com  November  2007 


Photo  by  Christopher  Navin 


MONITORING  I  ACCESS  CONTROL  I  VIDEO  SURVEILLANCE  I  RFID  I  INTRUSION  DETECTION  I  EAS  I  FIRE  &  LIFE  SAFETY 


COMMERCIAL  SOLUTIONS 


When  physical  security  and 
IT  work  together,  everybody  wins. 

You  can  leverage  your  respective  strengths  to  deliver  new  levels  of  performance,  gain  greater  returns  on  your 
security  investment  and  reduce  your  total  cost  of  ownership.  And  few  companies  are  more  experienced 
at  bringing  people  together  to  address  security  issues  than  ADT.  In  fact,  we've  been  helping  customers 
use  innovative  solutions  to  address  new  challenges  for  more  than  130  years.  Let  us  help  you  do  the  same. 
After  all,  the  best  way  to  face  new  challenges  is  with  New  Thinking. 

For  more  information  on  our  convergence  capabilities  or  to  learn  about  Secure  World  Expos,  call  T888-228-027 4 
or  go  to  ADT.com/convergence. 


lOlOlOOim."..  Id  .0001010111001001010010100101010001, 

r.  001010111 100100101100101001010 10101001010 10100101 
.001000101010 100010010 10100100 10010010 101010 10101010 l:  J 

.'. 1.0101000100111001000100101 

110 1.  ,010010 1010 1100 10 10 10 10 1001 011010 100 100 101000100 100 10 10 

HOlOOlOlOlOli  ,  01010101010101001010100010101110010010010  : 


.no  ion  11110010100110100101001001010101010000101101 

.aioioiiODioiq 

1,0010011001001010010101000)1  ,u  . 0010101 

.0010110010101001010010101010100100010010010010 
;  UDOIOIOOIOOOOIOOIOIOOOIC.  . 

lujioionaoioioioioaioiooioi'; 


0100  >1110010001’:  101 

1010010010100010010010 
looioioioooioioim:- 
mooio:  oioioaioin 


ADT  Always  There * 


ADT  state  license  numbers  are  available  for  review  on  www.adt.com  or  by  contacting  1-800-ADT-ASAP.®  Copyright  ©2007  ADT  Security  Services,  Inc.  All  Rights  Reserved.  ADT.  the  ADT  logo,  ADT  Always  There  and  1-800-ADT-ASAP  are  registered  trademarfcs  of  ADT 

Services,  AG.  and  are  used  under  license. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com. 


BLOG  POST 

The  Software 
Risk  80/20 

Jeff  Jones  of  Microsoft  examines 
where  the  biggest  risks  lie 

I  was  in  a  meeting  with  a  large  group  of 
security  professionals  today  talking 
about  SDL,  reducing  vulnerabilities, 
metrics,  and  so  on— my  normal  top¬ 
ics— and  we  got  into  a  really  interest¬ 
ing  discussion  about  which  areas  of  focus 
can  get  the  best  practical  results  for  opera¬ 
tional  IT  security. 

The  discussion  focused  around  this 
question:  What  percentage  of  malware 


infections  happen  due  to: 

■  Vulnerabilities  without  patches  avail¬ 
able?  (a.k.a.  new’  vulns) 

■  Vulns  with  patches  available,  but  not 
applied?  (unpatched  vulns) 

■  Some  other  vector— misconfiguration, 
social  engineering,  etc.? 

Anecdotally,  in  our  discussion  we 

thought  the  breakdown  was  something 
like  this: 

■  New  vulns:  less  than  10% 

■  Vulns  with  patches  not  applied:  20-30% 

■  Other  vector  (misconfiguration,  social 
engineering,  etc.):  60-70% 

Zone-h.com  posted  spreadsheets  of 

data  on  Web  server  penetrations,  which 
they  tracked  from  2002  to  2004,  and  their 
breakdown  for  2004  was  new  vulns  19%, 
unpatched  vulns  26%,  and  55%  for  the  com¬ 


bination  of  configuration  mistakes,  brute 
force  attacks  and  social  engineering.  (Let 
me  encourage  you  to  use  your  own  num¬ 
bers  if  you  don’t  think  that  breakdown  is 
right,  as  I  don’t  think  it  detracts  from  the 
discussion  at  all.) 

So  now,  let’s  think  about  what  this 
means  in  terms  of  product  vulnerabilities 
and  products.  Two  factors  are  vulnerabil¬ 
ity,  or  software  quality,  related.  So,  when  I 
try  to  measure  vendor  progress  on  security 
quality  or  count  vulnerabilities,  success 
along  those  lines  only  affects  the  bottom 
two  bars.  The  remainder  of  managing 
security  risk  (55%)  depends  on  other  fac¬ 
tors  completely. 

How  would  [it]  affect  things  if  you  could 
have  a  product  with  perfect  security  qual¬ 
ity,  or,  in  other  words,  no  expectation  of 
exposure  due  to  a  vulnerability?  If  a  ven¬ 
dor  builds  a  perfect  product— not  likely 
in  the  near  future— then  we  can  eliminate 
both  vulnerability  vectors  for  malware.  But, 
even  without  perfect  products,  look  how 
much  of  the  malware  problem  cannot  be 
eliminated  by  improving  security  quality 
or  reducing  vulnerabilities. 

This  really  emphasizes  how  important 
other  security  disciplines  are  to  the  goal  of 
protecting  computers  from  malware.  Secu¬ 
rity  management  and  efforts  to  make  users 
slightly  more  clueful  jump  out  as  to  efforts 
that  could  have  large  impacts  on  opera¬ 
tional  security. 

So,  while  the  importance  of  these  disci¬ 
plines  is  by  no  means  a  new  insight,  going 
through  this  exercise  really  puts  things  into 
perspective  (for  me)  with  respect  to  practi¬ 
cal  security  progress  in  the  enterprise.  In  the 
meantime,  we  should  all  encourage  vendors 
to  work  toward  those  perfect  software  prod¬ 
ucts  to  reduce  the  other  two  sections  as  well. 


8  www.csoonline.com  November  2007 


Illustration  by  CBettmann/CORBlS 


.  "IS 


TAKE  CONTROL  WITH  INTEL®  VPRO™  PROCESSOR  TECHNOLOGY. 

Repair  PCs  or  deploy  security  upgrades  remotely,  even  if  they're  powered  off* 

Automatically  isolate  an  infected  desktop  from  the  network.  With  64-bit  capable  Intel 
vPro  processor  technology,  powered  by  the  Core™2  Duo  processor,  you  multiply  your 
company's  possibilities.  Learn  more  at  intel.com/vPro 

•  ’j  _ _ 

'  ntel*  Active.  M«  gem-  nt  .  ethnology  requites  the  platform  to  have  an  Intel'1  AMT  enabled  chipset,  network  hardware  and  software^  connection  with  a.pywc-  sgptcjjj  a/id-ei' 
network  connect >oi .  C':>,07  Intel  Corporation  Intel,  the  Intel  logo,  Intel  Con-.  Intel.  Leap  ahead..  Intel  vPtd.and  the, -Intel..  Leap  ahead,  and  vPco  l^o  are  fravViHaj'ks  ^regiS^'rjf 
trademarks  of  Inn-i  r  ipon-inuri  or  its  subsidiaries  in  the  United  States  and  oner  count  ups  Ac  rights  reserved  . 


finteD 


e 


.  and  vPro  toga  are  t-  moiits'driegistei^-^^ 
■ 

■ 


I 


MULTIPLY  SECURITY 
AND  MAXIMIZE  UPTIME. 


>>  DISCUSSION 


BLOG  POST 

Security: 
Bringing 
Sexy  Back 

Chad  McDonald  says  security 
leaders  can’t  pass  the  buck 

Sex  sells.  I  know  it  and  you  know 
it,  but  can  we  admit  it?  Back  in 
the  good  ol’  days  (don’t  you  feel 
old  any  time  someone  starts  a 
story  this  way!),  security  was 
sexy.  It  was  the  hot  new  thing.  Firewalls 
sold  like  hotcakes,  certifications  were 
worth  gold. 

Today,  security  isn’t  so  sexy  anymore. 
If  you’re  like  me,  as  you  have  “matured,” 
you’ve  gotten  out  of  shape.  Your  favorite 
shirt  now  makes  you  look  like  Homer  Simp¬ 
son.  You  may  have  even  grayed  around  the 
temples  a  bit,  if  you  managed  to  keep  your 
hair  at  all.  The  point  is  that  security  has 
become  old  hat.  Now,  I  suppose  that  is  a 
good  thing  IF  the  reason  is  that  we  are  all 
baking  security  into  our  processes.  If  that 
isn’t  the  case  and  we  have  just  dropped  our 
guard,  then  shame  on  us.  In  recent  weeks 
I  have  visited  a  number  of  locations  that 
were  totally  void  of  information  security 
programs.  The  reason  given:  “We  don’t 
need  it,”  or  “We  already  do  all  of  that.” 

I  think  that  you  and  I  have  dropped  the 
ball.  We  haven’t  been  successful  in  moving 
from  FUD  [fear,  uncertainty  and  doubt] 
and  into  the  boardroom.  We  continued  to 

MORE  ON  THE  WEB 

CSO  Wanted 

Find  the  latest  job 
postings  and  job 
change  news  on 
our  Movers  and 
Shakers  blog: 

blogs.csoonline.com/blog/ 
movers  and  shakers 


use  scare  tactics  to  push  security  rather 
than  proving  the  business  benefits  of  secu¬ 
rity.  Over  time  our  audiences  have  seen  us 
be  more  effective  at  preventing  attacks  or 
breaches  and  at  the  same  time  have  become 
sensitized  to  our  fearmongering. 

Packet  shaping  has  lost  its  cute  little 
curves.  The  twinkle  has  gone  from  the 
intrusion  prevention  system.  And  much 
like  “old  Elvis,”  the  firewall  has  gotten 
bloated  as  it’s  aged.  Just  like  Cher,  we  need 
to  reinvent  ourselves  and  security  to  be 
something  that  makes  heads  turn  (and  in 
a  good  way).  Bring  security  into  the  board- 
room.  Show  security  as  adding  value  to 
the  business.  In  the  words  of  the  esteemed 
Mr.  Timberlake,  help  me  “bring  sexy  back” 
to  security. 

BLOG  POST 

Virtual 

Desktops 

Michael  Overly  says  software 
licensing  isawrinkle 
often  overlooked 

he  latest  rage  in  virtualization  is 
the  desktop.  In  addition  to  mak¬ 
ing  administration  and  control 
easier,  virtualizing  the  desk¬ 
top  also  offers  the  potential  of 
greater  security.  Virtualization  affords  busi¬ 
nesses  the  ability  to  retain  their  applications 
and  data  on  their  own  servers  (as  opposed 
to  having  instances  of  the  applications  and 
data  residing  on  individual  PCs  and  laptops, 
which  have  a  nasty  habit  of  going  missing). 
There  is  even  the  possibility  of  having  a 
virtual  desktop  completely  contained  on  a 
USB  device,  with  full  encryption.  All  of  this 
is,  of  course,  useful  and  entirely  worthy  of 
exploration  for  many  businesses. 

My  purpose  is  not  to  criticize  the  virtu¬ 
alization  trend  in  any  way,  but  to  highlight 
an  important  legal  issue  that  is  frequently 
overlooked:  proper  licensing  of  the  applica¬ 
tions  run  in  the  virtual  environment.  With 
virtual  servers  capable  of  being  set  up  in  a 
matter  of  minutes  (frequently  without  legal 
review  or  input),  businesses  sometimes 
overlook  the  need  to  ensure  the  applica¬ 
tions  being  run  in  the  virtual  environment 
are  properly  licensed. 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.csoonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Scott  Berinato,  Executive  Editor 

sberinato@cxo.com 

508  988-7587 

Sarah  Scalet,  Managing  Editor 

sscalet@cxo.com 

973 338-0059 

Katherine  Walsh, 

Associate  Staff  Writer 
kwalsh@cxo.com 
508  988-6939 

Subscriber  Services 

Phone:866  354-1125 
Fax:847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  Reprint  Manage¬ 
ment  Services,  800  290-5460, 
ext.  100,  cso@reprintbuyer.com 


It’s  a  thorny  issue.  The  individual 
licenses  for  each  of  the  applications  must 
be  carefully  reviewed  to  ensure  there  is  no 
language  that  would  prevent  operation  in  a 
virtual  environment.  Since  this  issue  will 
likely  not  be  expressly  addressed,  limita¬ 
tions  relating  to  the  scope  of  the  license, 
authorized  operating  configuration  and 
other  terms  must  be  reviewed.  In  some 
cases,  the  licensor  may  have  to  be  contacted 
to  ensure  virtualization  will  not  result  in  a 
breach  of  the  license.  We  have  already  seen 
several  instances  in  which  businesses  have 
virtualized,  only  to  find  themselves  the  sub¬ 
ject  of  an  audit  by  one  or  more  of  their  licen¬ 
sors  for  being  out  of  compliance  with  their 
license  agreements.  ■ 


10  www.csoonline.com  November  2007 


ionals 


What  can 


do  for  you? 


Strengthen  your 
personal  network 


•  Enhance  your  skills 
and  knowledge. 


Develop  your  leadership 
abilities  and  earn 
credentials. 


Unlock  Doors  to  new 

career  and  business 
opportunities. 


•  Stay  on  Top  of  current 
events  and  emerging  trends 


Unleash 
the  Power  of 

Collaboration 


US  INTERNATIONAL  ; 

Advancing  Security  Worldwide 

Visit  www.asisonline.org  or 
call  703-519-6200  for  details 

or  to  join  ASIS  today. 

■ 


TACTICS 


By  Mary  Bran  del 


Identity  Management  101 

Identity  management  can  start  small,  but  full-blown  IDM  projects  comprise 
many  different  pieces.  Here’s  a  look  at  critical  considerations  for  getting  started. 


Identity  management  (IDM)  software 
helps  organizations  effectively  man¬ 
age  the  job  of  providing  the  right 
users  with  access  to  the  right  sys¬ 
tem  and  application  resources.  This 
includes  employees,  customers,  contractors, 
business  partners  and  anyone  else  on  the 
network.  This  complex  job  can  be  accom¬ 
plished  through  several  best-of-breed  prod¬ 
ucts  or  through  a  suite  of  applications. 

Understanding  the  Market 

The  Radicati  Group  in  Palo  Alto,  Calif., 
breaks  out  the  market  this  way: 

Full  suites.  These  vendors  offer  solu¬ 
tions  that  include  directory  services,  provi¬ 
sioning,  secure  access  and  authentication, 
and  sometimes  federated  identity  elements. 
According  to  Forrester  Research,  the  clear 
leaders  in  this  category  include: 

■  Sun  Microsystems 
■  IBM/Tivoli 
■  CAInc. 

Jonathan  Penn,  research  director  at  For¬ 
rester,  says  Novell  is  a  second-tier  player, 
with  good  products  but  a  persistent  inabil¬ 
ity  to  capitalize  on  that  and  gain  significant 
market  share.  Meanwhile,  Oracle  is  an  up- 
and-comer  that  is  beginning  to  capture  sig¬ 
nificant  new  business,  especially  through 
its  acquisitions,  he  says. 

According  to  Penn,  Microsoft  is  an 
important  player,  especially  given  its  Active 
Directory.  However,  the  company  doesn’t 


provide  the  level  of  functionality  and  sup¬ 
port  for  heterogeneity  that  enterprises  need 
in  identity  management  solutions.  Other 
major  players  include  Hewlett-Packard 
and  Siemens,  according  to  Radicati. 

Provisioning.  These  vendors  spe¬ 
cifically  provide  user  lifecycle  account 
management.  Companies  in  this  segment, 
according  to  Radicati,  include  Beta  Sys¬ 


tems,  BMC  Software,  Courion,  Fischer 
International,  MaXware  (just  acquired  by 
SAP)  and  others. 

Secure  access  and  authentication. 

These  vendors  offer  secure  access  and  a 
range  of  authentication  products,  such  as 
smart  cards  and  biometric  devices.  Compa¬ 
nies  include  EMC  (RSA  Security),  Entrust 
and  many  others,  according  to  Radicati. 


12  www.csoonline.com  November  2007 


Illustration  by  Josh  Cochran 


Federated  identity.  These  vendors  and 
service  providers  help  companies  establish 
secure  virtual  communities,  where  cus¬ 
tomers  and  partners  can  visit  and  conduct 
business  on  different  websites  with  a  single 
log-in.  This  relatively  new  area  will  grow 
more  important  over  the  next  two  years, 
Radicati  says,  mentioning  representative 
companies  such  as  HP  and  Ping  ID. 

Business  drivers.  The  drivers  behind 
IDM  demand  have  traditionally  included: 

■  Streamlining,  cutting  costs  and  reducing 
error  rates  of  user  account  management, 
including  the  frequent  need  to  modify 
and  disable  accounts,  reset  passwords 
and  update  user  profile  information. 

■  Minimizing  unauthorized  access  to 
sensitive  systems. 

■  Opening  the  network  to  partners  and 
customers. 

Regulatory  compliance.  Regulatory 
compliance  is  fast  becoming  a  top  reason 
for  implementing  IDM,  according  to  Radi¬ 
cati.  IDM  suites  can  help  companies  comply 
with  Sarbanes-Oxley,  HIPAA  and  others 
by  providing  audit  trails  of  all  user  actions 
and  prove  that  no  users  have  violated  their 
access  rights  or  used  digital  resources 
inappropriately. 

Market  size.  IDM  has  become  a  key 
component  of  companies’  information 
security  programs.  In  the  past  year,  world¬ 
wide  deployment  has  grown  by  well  over 
50  percent,  according  to  a  February  2007 
study  by  Radicati.  The  study  also  found 
that  the  IDM  market  will  reach  over  $2.8 
billion  this  year  in  worldwide  revenues  and 
will  grow  to  almost  $13  billion  by  2011.  This 
includes  full  suites,  provisioning,  secure 
access/authentication  and  federated  iden¬ 
tity  solutions. 

User  provisioning  is  the  main  engine 
in  support  of  IDM  activities,  according  to 
Gartner,  whether  as  a  point  product  or  as 
part  of  a  suite.  From  2005  to  2006,  user-pro- 
visioning  revenue  grew  12.3  percent,  and 
Gartner  expects  continued  growth  through 
2009.  As  of  mid-2007,  20  percent  to  25  per¬ 
cent  of  midsize  to  large  enterprises  world¬ 
wide  have  implemented  some  form  of  user 
provisioning,  Gartner  says,  with  another  25 
percent  to  33  percent  evaluating  solutions. 

Market  trends.  Consolidation  in  the 
IDM  market  has  been  hot  since  2002,  and 
while  it  has  slowed,  acquisitions  will  con¬ 
tinue,  Gartner  says.  In  the  provisioning 


space  this  year,  SAP  acquired  MaXware  (a 
user  provisioning  and  virtualization  ven¬ 
dor),  and  Oracle  bought  both  Bridgestream 
(an  enterprise  role  management  software 
vendor)  and  Bharosa  (an  online  identity 
theft  and  fraud  software  vendor). 

Earl  Perkins,  an  analyst  at  Gartner, 
anticipates  further  acquisitions  in  the  role 
management  arena,  as  many  vendors  are 
now  partnering  with  vendors  such  as  Vaau, 
Eurekify,  Bhold  and  SellPoint,  which  do 
role  mining  and  discovery. 

Obstacles  to  implementation.  IDM 
initiatives  are  complex  and  require  experi¬ 
enced  management  to  increase  the  chance 
of  success,  according  to  Gartner.  Although 
Gartner  says  success  rates  have  improved 
over  the  years,  IDM  projects— particularly 
provisioning  efforts— still  have  a  significant 
failure  rate,  due  primarily  to  scope  defini¬ 
tion  and  managing  to  that  scope. 

Common  obstacles  to  successful  provi¬ 
sioning  implementations  include  the  fol¬ 
lowing,  according  to  Forrester: 

■  Perceived  high  implementation  and 


services  costs  (relative  to  license  costs) 

■  Unduly  long  and  winding  curves  of 
defining  business  roles  for  provisioning 

■  Securing  the  appropriate  level  of  organi¬ 
zational  support 

■  Spending  enough  time  on  business 
process  redesign  and  role  design 

■  Consolidating  user  repositories. 

Key  strategies.  These  obstacles  can 

be  circumvented  by  following  several 

strategies: 

■  Start  modestly.  Implement  some  of 
the  foundational  elements  of  an  IDM 
system  first  for  some  quick  ROI. 

■  Get  support.  Gartner  says  it’s  crucial  to 
gather  the  appropriate  political  support 
within  the  enterprise  and  to  select  an 
effective  program  partner  outside  the 
company  (consultant  or  system  integra¬ 
tor)  that  understands  the  business  and 
technical  issues  of  IDM. 

■  Involve  your  developers.  “Every  hour 


your  developers  spend  alongside  the 
vendor’s  connector  specialist  will  help 
your  team  become  self-sufficient  with 
connector  development,”  says  Andras 
Cser,  senior  analyst  at  Forrester. 

Dos  and  Don’ts 

Don’t  underestimate  the  amount  of 
preparation  involved.  For  Mike  Petosa,  IT 
director  at  the  American  National  Stan¬ 
dards  Institute,  the  two  biggest  challenges 
for  implementing  an  IDM  system  from 
Novell  were  cleaning  the  data  and  defining 
the  business  processes  surrounding  iden¬ 
tity  management. 

Data  cleansing  was  60  percent  of  the 
project,  he  estimates.  For  instance,  his  team 
had  to  clear  up  semantic  differences  among 
various  departments,  such  as  the  term  “inac¬ 
tive  record.”  “That  needed  to  be  accurate 
to  create  the  correct  workflow  and  rules,” 
he  says. 

Defining  business  process  required 
exposing  intuitive  knowledge  that  individu¬ 
als  had  stored  up  for  years,  he  says.  “It  took 


a  lot  of  probing  to  expose  the  workflows 
because  it  was  distributed  among  many 
people,”  Petosa  says.  For  instance,  member 
registration  involved  several  departments 
working  separately  to  provide  access  to 
applications  and  services  based  on  mem¬ 
bership  level. 

Petosa’s  group  had  to  define  workflows 
and  business  rules  that  would  streamline 
these  processes  and  minimize  errors.  Now, 
when  a  member  registers  online,  a  record 
is  created  in  the  CRM  system,  and  access 
is  automatically  provided  to  a  limited  area 
of  the  SharePoint  portal  server.  When  the 
membership  department  receives  notifica¬ 
tion  of  the  new  membership,  it  authorizes 
further  access,  based  on  the  membership 
level. 

“All  these  rules  are  stored  in  the  identity 
management  system,  and  all  the  member 
identities  are  stored  in  the  identification 
vault,”  Petosa  says.  Now,  when  updates 


IDM  projects— particularly  provisioning 

efforts-still  nave  a  significant 
failure  rate,  due  primarily  to  scope 
definition  and  managing  to  tnat  scope. 


November  2007  www.csoonline.com  13 


% 


I  am  fearless. 


I  protect  a  2  billion  dollar  retail  business. 


I  believe  security  should  enable 
business  growth  not  limit  it. 


I  focus  on  what’s  important. 


I  lead. 


I  innovate. 


I  win. 


I  am  fearless.” 


- 


When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail.  But  few  can  imagine 
what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move  your  business 
forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the  Fortune  500. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/kayak  The  Security  Division  of  EMC 


Secure  Anytime 
Anywhere  Access 


Protect 

Customer  Identities 


Secure 

Enterprise  Data 


Manage  Compliance 
and  Security  Information 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


>>  TOOLBOX 


such  as  change  of  address  or  membership 
level  are  made  in  the  CRM  system,  the 
changes  are  synchronized  across  all  other 
systems  and  databases. 

DO  prepare  your  environment  to 
smooth  implementation.  When  Equifax 
implemented  Sun’s  IDM  system,  it  didn’t 
plunge  right  in,  says  Tony  Spinelli,  chief 
security  and  compliance  officer.  He  first 
worked  with  the  IT  department  to  create 
one  authoritative  source  for  all  the  com¬ 
pany’s  employees  and  contractors,  which 
required  creating  one  logical  database  from 
databases  throughout  the  world. 

Second,  Spinelli  wanted  to  develop  a 
way  to  connect  the  IDM  system  with  all  the 
other  applications  that  Equifax  used,  rather 
than  having  to  write  scripting  languages 
and  adapters  for  each  application  it  wanted 
to  integrate.  To  do  this,  he  worked  with  IT 
to  develop  identity  repositories  in  Active 
Directory  and  LDAP.  “We  didn’t  want  to 
write  adapters  between  Sun  and  every 
application  we  wanted  to  connect— that 
really  would  have  elongated  the  process,” 
he  says. 

DO  prepare  for  a  long  project.  Because 
of  the  complexity  of  IDM,  implementations 
can  easily  last  a  year  or  more,  experts  say. 
ANSI’s  IDM  implementation  took  about  a 
year  and  half,  according  to  Petosa. 

This  can  lead  to  frustration,  Perkins 
says.  “I’ve  been  surprised  by  the  number  of 

A  COMPLETE  IDM 

SYSTEM  INCLUDES THE 

FOLLOWING  ELEMENTS: 

■  Directory  services 

-  Access  management 

■  Password  administration, 
including  single  sign-on 

>  Identity  authentication 

■  User  provisioning 

■  Compliance  auditing 

>  Role  management 

•  Federated  identities,  which 
enables  the  creation  of 
virtual  communities  of 
customers  and  partners 
that  can  conduct  business 
on  different  websites 
with  a  single  log-in 


Fear  less.  Do  more 


people  who’ve  expressed  disappointment 
and  disillusion  at  the  progress  and  process 
of  installing  these  systems,”  he  says.  “These 
are  very  complex  and  difficult  systems  to 
install,  and  the  more  complex  your  envi¬ 
ronment,  and  the  more  applications  and 
platforms  you  wish  to  have  on  the  workflow 
system,  the  more  complicated  it  becomes.” 

One  way  to  ease  the  frustration  is  to 
stage  the  project.  At  ANSI,  Petosa’s  group 
started  with  the  company’s  CRM  and  online 
system  and  later  added  the  accounting  and 
human  resource  systems,  defining  more 
rules  as  they  went  to  achieve  the  process 
flow  they  wanted.  “It’s  like  re-engineering; 
you  can’t  do  it  in  one  step,”  he  says. 

Don’t  assume  you  can  accomplish 
this  in-house.  Both  Petosa  and  Spinelli  say 
they  couldn’t  have  succeeded  with  their 
implementations  without  lots  of  vendor 
support.  “This  is  not  for  the  weak  of  heart,” 
Petosa  says.  “You  need  to  look  for  a  com¬ 
pany  with  excellent  VAR  support.”  The 
risk  of  making  a  mistake,  he  says,  is  huge. 
“It  will  destroy  your  data  and  your  systems 
if  it’s  poorly  designed.” 

But  don’t  rely  100  percent  on  out¬ 
side  help.  “You  have  to  be  an  active  par¬ 
ticipant,”  Petosa  warns,  especially  when  it 
comes  to  defining  your  business  processes. 
“Integrators  can’t  dig  deep  enough,”  he  says. 
“You  need  a  dedicated  staff  working  with 
the  implementation  team.” 

Spinelli  says  it  was  beneficial  to  have 
staff  that  was  already  experienced  with 
Sun’s  Java  environment.  “We  can  leverage 
our  Java  development  team  to  code  the  iden¬ 
tity  management  tool,”  he  says.  In  addition, 
he  hired  a  team  of  coders  who  had  previ¬ 
ously  worked  at  Waveset  Technologies,  the 
identity  management  software  vendor  that 
Sun  acquired. 

DO  get  upper  management  support. 
At  Equifax,  Spinelli  kicked  off  the  effort 
by  inviting  the  company’s  CTO  as  well  as 
high-level  executives  from  HR,  architecture, 
operations,  legal  and  financial  to  a  three- 
day  meeting.  The  group  determined  the 
business  drivers  for  an  IDM  system,  which 
turned  out  to  be  compliance,  simplifying 
identities,  leveraging  data  and  metrics,  and 
—down  the  road— enabling  federation.  ■ 


Mary  Brandel  is  a  freelance  writer.  Send 
feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


PCI  Compliance: 

Securing  Credit  Card  Data 


RSA’s  solutions  for  PCI  compliance 
help  ensure  that  credit  card  data 
entrusted  to  you  never  becomes 
a  liability.  We  offer  sustainable, 
flexible  solutions  to  help  you 
remain  compliant  even  as  data 
security  standards  evolve. 


•  Secure  data  regardless  of 
where  it  resides 


•  Provide  comprehensive 
access  control 


•  Actively  monitor  security 
events 


•  Leverage  log  data  to 
prove  compliance 


RSA  can  help  your  organization: 


•  Discover  and  classify  credit 
card  data  and  applications 


Learn  to  fear  less  and  do  more. 
Visit  our  PCI  Resource  Center 
for  FREE  research,  white  papers, 
webinars,  podcasts  and  more: 
www.rsa.com/go/kayak 


uni 

The  Security  Division  of  EMC 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the 
RSA  logo  are  either  registered  trademarks  or  trademarks 
of  RSA  Security  Inc.  in  the  United  States  and/or  other 
countries.  All  other  products  and  services  mentioned 
are  trademarks  of  their  respective  companies. 


November  2007  www.csoonline.com  15 


ISABELLA. 

s  "ewart  Gardner. 

MUSEUM 


IN  THE  EARLY  MORNING  HOURS  OF 
MARCH  l8 


I99O,  THIRTEEN  PRICELESS 
WORKS  OF  ART  WERE  STOLEN  FROM  THE 


ISABELLA  STEWART  GARDNER  MUSEUM 


IN  BOSTON,  MASSACHUSETTS 


“  The  theft  of  these  rare  and  important  artworks  is  a  tragic  loss 
to  the  art  world,  to  the  general  public,  and  to  society  as  a  whole. 
Imagine  never  being  able  to  watch  a  theatrical  performance  of 
Shakespeare’s  Hamlet  or  hear  Beethoven’s  Fifth  ever  again. 

Art  has  the  power  to  inspire  thinking  and  creativity.  We  look 
forward  to  the  day  these  stolen  artworks  are  returned  to  the 
Gardner  Museum.” 

Anne  Hawley 

Norma  Jean  Calderwood  Director ;  Isabella  Stewart  Gardner  Museum 

VISIT  US  AT  WWW.GARDNERMUSEUM.ORG 


$5  MILLION  REWARD 

The  Isabella  Stewart  Gardner  Museum  is  offering 
a  $5  million  reward  for  information  leading  to  the 
return  of  the  stolen  artworks  in  good  condition. 
Confidentiality  is  ensured. 


Contact  the  Gardner  Museum’s  Director  of  Security  Anthony 
Amore  at  617.278.51 14  or  theft@isgm.org  or  the  Federal 
Bureau  of  Investigation  at  617.742.5533  with  information. 


stolen  artworks:  {from  left]  Rembrandt,  A  Lady  and  Gentleman  in  Black,  1613;  Degas.  Three  Mounted  Jockeys-,  Chinese  bronze  beaker  or  Ku.  Chinese, 
Shang  Dynasty,  1  200- 1  1 00  BC;  Degas,  Cortege  aux  Environs  de  Florence ;  Rembrandt,  The  Storm  on  the  Sea  of  Galilee,  16  3  3;  Rembrandt,  Sell  Port  rail,  ea. 
1634;  Manet,  ChezTortoni,  1878- 1 880;  Degas,  La  Sortie  de  Pesage;  Finial  in  the  form  of  an  eagle,  gilt  metal  (bronze),  French,  1813-1814;  Vermeer,  The 

y  .  '  C\ 

Concert,  1 638- 1 660:  Govaert  Flinck,  Landscape  with  an  Obelisk,  1638;  Degas,  Program  for  an  artistic  soiree,  1884  (2  versions). 


f,  ' 

.  .  ■ 


Biometrics:  You're  So  Veined  PAGE  20 


S  AND  FAST  FACTS 

Edited  by  Daintry  Duffy 


SPAM 

STORM 

PDF  Vulnerabilities 


to  press,  Adobe  was  admitting  that  a  critical 
vulnerability  had  been  found  in  PDF  files.  The 
company  had  a  workaround  for  the  problem 
but  was  still  trying  to  cobble  together  a  patch. 
This  flaw  comes  after  versions  of  Acrobat 
Reader  earlier  than  version  8  were  discovered 


appears  to  have  been  realized  with  this  latest 
critical  vulnerability,  which  uses  the  “mailto:” 
e-mail  function  to  inject  malicious  code  into  a 
PC.  Adobe  is  telling  customers  to  “use  caution" 
when  clicking  on  attachments. 

Still,  Acrobat  Reader  is  well-nigh  universal, 
and  that  makes  it  a  tempting  target.  What  is 
worse,  a  lot  of  users  never  update  their  ver¬ 
sion  of  Acrobat  Reader,  leaving  them  vulner¬ 
able  to  already  patched  bugs  like  the  XSS  bug 
found  last  December.  It’s  important  to  realize 
that  the  XSS  vulnerability  probably  won’t  be 
the  last  attack  on  PDF  files.  It  is  simply  too 
juicy  a  target.  -Rick  Cook 

WHAT  TO  DO 


There’s  good  news,  better  news,  and  some 
pretty  bad  news  about  the  PDF  spam  that 
flooded  corporate  mailboxes  this  summer. 
The  good  news  is  that  the  storm  of  spam 
vanished  as  quickly  as  it  came.  “The  increase 
started  mid-June  and  the  latest  report  we  saw 
indicated  PDF  spam  dried  up  [in  the  last  week 
of  August],”  says  John  Landwehr,  director 
of  security  solutions  and  strategy  at  Adobe 
Systems.  The  summer  PDF  campaign  hit  hard 
and  fast.  According  to  IronPort,  about  5  billion 
copies  of  one  of  the  spams  were  sent  out.  By 
July  PDF  spam  accounted  for  about  8  percent 
of  all  spam,  according  to  Symantec. 

The  better  news  is  that  the  PDFs  were 
all  straight  spam,  not  attempted  exploits. 
Unless  you’re  interested  in 
dubious  stock  tips,  the  spam 
was  harmless. 

The  bad  news  is  the  attack 
points  to  the  potential  for 
PDF  exploits  that  could  infect 
everything  from  a  single  computer  to  an 


to  have  a  nasty  JavaScript  cross-site  scripting 
(XSS)  vulnerability. 

The  problem  of  image  spam  didn’t  start 
with  PDFs  and  it  won’t  end  with  them.  The 
latest  trend,  which  started  showing  up  in  July, 
is  to  embed  the  payload  into  an  Excel  XLS  file. 
What  makes  these  attacks  particularly  nasty 
is  the  social  engineering  component.  PDF  and 
XLS  documents  have  more  credibility  with 
business  users  than  a  JPEG.  If  the  average  user 
gets  an  e-mail  titled  “complaint”  containing 
nothing  but  a  PDF,  he  or  she  will  likely  open  it. 
Until  this  year,  security  vendors  didn’t  check 
PDFs  and  XLS  files,  because  there  wasn’t  a 
problem  with  them  and  they’re  hard  to  check. 
Many  antispam  products  didn’t  check 
nondocument  attachments  at  all.  That  has 
changed,  and  most  antispam 
products  now  check  PDFs  as 
well  as  other  forms  of  image 
spam.  Getting  spam  in  your  cor¬ 
porate  e-mail  is  still  annoying,  of 
course.  But  the  danger  is  that  the 
same  technique  could  deliver  Trojans,  viruses, 


■  Educate  users  to  never  open  a 
suspicious  e-mail  attachment.  If 
the  user  isn’t  certain,  it’s  a  good 
policy  to  contact  the  supposed 
sender  to  make  sure  the  attach¬ 
ment  is  legitimate. 

■  Make  sure  all  users  are  using 
at  least  Adobe  Acrobat  Reader 
8.  The  XSS  problem  was  fixed 
in  Acrobat  Reader  8  and  later 
versions.  Versions  before  that 
are  vulnerable.  Explorer  7  is  pro¬ 
tected,  and  some  alternative  PDF 
readers,  such  as  Foxit  Reader, 
are  safe. 

■  Protect  your  servers.  Adobe 
support  describes  several  tech¬ 
niques,  such  as  adding  a  content 
disposition  header  to  server 
response,  on  its  website,  and 
additional  techniques  are  in  the 
0WA5P  presentation  (visit  adobe 
.com  for  more  information). 


entire  network.  And  in  fact,  as  this  story  went  malware  and  other  threats.  That  threat 


Illustration  by  Jens  Bonnke/Getty  Images 


November  2007  www.csoonline.com  17 


>>  BRIEFING 


INTERNET  SECURITY 


IDENTITY  MANAGEMENT 

My  Life  as  a  Dog 

RFID  makes  animal  cloning  easy 

Adam  Laurie  lived  a  few  Novembers  as  a  dog  ear¬ 
lier  this  year.  By  duplicating  the  RFID  tags  used 
to  identify  pets  in  the  U.K.  and  sewing  it  into  his 
watch  strap,  Laurie,  an  independent  security 
researcher,  re-created  his  dog’s  ID  as  a  hacking 
exercise.  However,  this  kind  of  virtual  animal  cloning  could 
become  a  serious  issue  as  industrialized  countries  roll  out 
RFID-based  systems  to  keep  track  of  their  livestock. 

Japan  and  the  U.K.  have  led  the  way,  developing  so-called 
source  and  age -verified  tracking  systems  that  could  help 
contain  the  damage  caused  by  outbreaks  of  mad  cow  disease, 
scrapie  or  Avian  flu.  The  U.S.  Department  of  Agriculture  has 
also  been  testing  the  use  of  RFID  chips  as  part  of  a  National 
Animal  Identification  System. 

These  systems  are  changing  the  way  we  purchase  meat, 
notes  Sue  Brown,  a  product  manager  with  Destron  Fearing,  a 
maker  of  RFID  tracking  chips.  In  Japan,  consumers  can  scan 
a  package  of  beef  and  have  a  photo  of  the  people  who  raised 
the  cow,  along  with  details  on  how  it  entered  the  country,  sent 
to  their  mobile  phones.  According  to  Brown,  Destron  Fearing 
has  taken  steps  to  prevent  its  tags  from  being  cloned,  includ¬ 
ing  placing  the  chip  in  a  tamperproof  polyurethane  casing. 
“This  is  an  unalterable  means  of  identification,”  she  says. 

But  not  everyone  sees  the  technology  as  foolproof.  Laurie 
points  out  that  the  RFID  tags  communicate  without  encryp¬ 
tion  so  some 
of  them  can  be 
cloned  or  even 
reprogrammed. 

“If  you  create 
another  tag  that 
has  the  same  ID, 
you  can  effectively 
clone  the  animal.” 
Or  at  least  its 
identity. 

Still,  why 
would  someone 
want  to  do  this? 

A  farmer  might 
want  to  swap  out 
the  identity  of  a  sick  animal  in  his  stock  to  save  an  entire  herd 
from  being  destroyed.  That’s  why  some  companies  are  start¬ 
ing  to  match  DNA  samples  with  existing  ID  systems  in  order 
to  offer  a  greater  level  of  assurance. 

The  U.S.  has  been  lucky  so  far.  There  hasn’t  been  an  out¬ 
break  of  mad  cow  disease  like  the  one  that  crippled  the  U.K. 
beef  industry.  But  that  might  all  change  very  quickly,  says 
Brown.  “We  are  probably  one  disaster  away  from  having  that 
sort  of  thing  occur  in  the  U.S.”  -Robert  McMillan 


Execs  Check  Out 

CSO’s  e-crime  survey  finds  net  crime 
steady,  executive  complacency  rising 


% 


57% 


background  chec 
a  decrease  from  731 
percent  in  2006 


The  results  from  the  fourth  annual  C50  “E-Crime  Watch 
Survey”  are  a  mixed  bag  of  positive  developments  and 
troubling  trends.  While  the  overall  threat  level  from  Inter¬ 
net  crime  has  held  steady,  security  executives  are  actually 
becoming  more  complacent  about  dealing  with  it. 

The  survey,  which  was  conducted  in  conjunction  with  Micro¬ 
soft,  the  U.S.  Secret  Service  and  Carnegie  Mellon  Software  Engi¬ 
neering  Institute’s  CERT  Program,  polled  671  law  enforcement 
officials  and  security  executives  on  a  variety  of  security  topics. 
Fifty-seven  percent  of  respondents  cited  e-crime  as  a  risk  they 
are  increasingly  concerned  about.  And  while  69  percent  of 

respondents  said  they  are 
more  prepared  to  deal  with 
e-crime  threats  now,  they 
are  also  spending  less  on 
it.  The  study  shows  that 
__  IT  security  spending  this 

Conduct  employee  year  fell  by  5  percent  and 

corporate  security  spend¬ 
ing  by  15  percent.  Dawn 
Cappelli,  senior  member  of 
the  technical  staff  at  CERT, 

chalks  that  up  to  reduced  security  budgets  and  the  current 
nature  of  attacks.  “The  types  of  attacks  we  saw  last  year  were 
outside  and  untargeted,  like  viruses,  worms  and  spam.  Since 
people  now  know  how  to  deal  with  those  e-crimes,  they  aren’t 
feeling  as  threatened." 

But  that  may  be  false  confidence.  Insider  threats  are  still  ris¬ 
ing.  Study  participants  identified  the  top  three  sources  of  insider 
e-crime  as  social  engineering  (45  percent,  up  from  38  percent 
last  year),  compromised  accounts  (39  percent),  and  copying 
information  to  USB  drives  or  other  mobile  storage  devices  (36 
percent).  Despite  the  increasing  risk  of  insider  crime,  only  57 
percent  of  respondents  conduct  employee  background  checks, 
down  from  73  percent  last  year.  The  number  of  companies 
conducting  employee  security  awareness  training  also  plum- 
meted-from  68  percent  last  year  to  38  percent  this  year. 

Respondents  still  identified  firewalls  as  the  most  effective 
technology  to  prevent  e-crime,  which  can  leave  companies 
vulnerable,  says  Jeff  Jones,  director  of  trustworthy  computing 
for  Microsoft.  “Too  much  confidence  in  a  traditional  firewall  can 
make  companies  more  vulnerable  to  new  types  of  insider  and 
targeted  attacks  designed  to  bypass  the  perimeter.” 

While  the  study  found  that  insider  and  outsider  threats 
cause  similar  amounts  of  damage  (insiders  34  percent,  outsid¬ 
ers  37  percent),  Cappelli  says  that  doesn’t  mean  they  pose 
the  same  risks.  “Outsider  threats  are  untargeted  and  handled 
well  by  technology.  But  insider  threats  are  targeted,  and  much 
harder  to  stop.  Given  that  statistic,  organizations  need  to  be 
more  concerned  about  insiders." 

-  Katherine  Walsh 


18  www.csoonline.com  November  2007 


ONE  STEP  FORWARD. 
TWO  STEPS  FORWARD. 


Security  can  no  longer  be  viewed  as  a  response  to  fear.  It  has  to  become  a 
catalyst  for  achievement.  One  that  enables  you  to  be  more  innovative,  competitive 
and  more  ambitious.  From  consulting  to  outsourcing  to  systems  integration, 
Unisys  Solutions  for  Secure  Business  Operations  empower  companies  to  leap 
without  ever  having  to  look  back. 


Security  unleashed. 


UNISYS 

Secure  Business  Operations,  imagine  it.  done 


)07  Unisys  Corporation.  Unisys  is  a  registered  trademark  of  Unisys  Corporation. 


www.securityunleashed.com 


>>  BRIEFING 


Mk  i 

CAMPUS  SECURITY 

Campus  Crisis  Response 

Virginia  Tech  releases  its  plan  to  improve 
campus  security  in  the  wake  of  tragedy 

Late  this  summer,  as  students  were  preparing  to  converge  back  on 
the  nation’s  college  campuses,  Virginia  Tech  released  the  results 
of  an  extensive  internal  security  review  conducted  in  the  after- 
math  of  the  April  16, 2007,  shootings  that  left  33  dead  (including 
the  lone  gunman)  on  the  Blacksburg,  Va.,  campus.  The  review  examined 
physical  security  on  campus,  as  well  as  communication  and  organiza¬ 
tional  issues  that  affected  the  university’s  response  during  the  crisis. 


Universities  and  colleges  across  the  country  and  around  the  world  will 
be  paying  attention  to  the  findings  and  their  implementation.  A  selec¬ 
tion  of  the  panel’s  recommendations  for  hardening  campus  security 
is  below.  A  full  account  of  the  findings  and  recommendations  can  be 
viewed  at  www.vtnew5.vt.edu/story.php?relyear=2007&itemno=459. 

PHYSICAL  INFRASTRUCTURE 

■  Remove  and  replace  hardware  on  all  perimeter  doors 
to  mitigate  the  risk  of  doors  being  chained. 

■  Install  interior  locks  on  all  general  assignment  classrooms. 

■  Explore  the  installation  of  a  centrally  controlled  electronic  card  key 
access  system  for  all  key  academic  and  administrative  facilities.  In 
the  event  of  an  emergency,  such  a  system  would  allow  individual  and 
groups  of  buildings  to  be  locked  remotely  by  the  police  department. 

■  Construct  a  state-of-the-art  public  safety  building  that 
will  physically  consolidate  Virginia  Tech  Police  and  Vir¬ 
ginia  Tech  Rescue  Squad  services  in  a  single  facility. 

■  Explore  the  feasibility  of  deploying  a  centrally  monitored  closed- 
circuit  television  system  using  video  surveillance  cameras. 

COMMUNICATION 

■  Provide  mass  notification  in  classrooms  and  other  environments 
where  other  systems  may  not  provide  adequate  notification. 

■  Explore  the  installation  of  LCD  message  boards  within  the 
entrances  to  key  campus  buildings,  as  well  as  outdoor  illu¬ 
minated  message  boards  at  major  campus  entrances.  These 
displays  would  alert  the  campus  to  emergency  situations  and 
provide  instructions  on  the  appropriate  actions  to  be  taken. 

■  Create  an  electronic  "people  locator  system”  that  members  of  the 
campus  population  could  log  on  to,  to  post  their  status  so  that  rela¬ 
tives,  friends  and  colleagues  could  receive  updated  information. 

EMERGENCY  PREPAREDNESS 

■  To  prepare  for  potential  emergencies,  increase  the  use 

of  annual  “tabletop,”  or  simulation,  exercises  by  key  cam¬ 
pus  units  (for  example,  police,  rescue  squad,  physical 
plant,  building  coordinators  and  so  on).  -Daintry  Duffy 


TRANSPORTATION  SECURITY 

You’re  So 
Veined 

Will  a  new  biometric  at  the  Port 
of  Halifax  overcome  hurdles 
that  other  biometrics  haven’t? 

BY  THE  end  of  November,  the  Port  of 
Halifax  will  be  using  biometrics  as  a 
second  factor  of  authentication  to  access 
its  port  facilities,  as  mandated  by  new 
regulations.  But  Halifax  won’t  be  using 
fingerprints,  retinal  scans  or  voice  prints. 
Instead,  port  security  officer  Gordon 
Helm  chose  vascular  scanning.  The 
relatively  new  technique  uses  a  passive 
infrared  scan  of  the  back  of  your  hand 
to  take  a  picture  of  the  vein  pattern  and 
match  it  to  a  stored  image  of  the  same. 


20  www.csoonline.com  November  2007 


After  some  trials,  Helm  believes 
vascular  scanning  could  become  the  bio¬ 
metric  that  gains  widespread  acceptance 
and,  finally,  overcomes  the  main  hurdle 
to  widespread  adoption  of  biometrics: 
perceived  invasiveness.  “It’s  five  seconds 
holding  your  hand  out  and  done,”  he 
says  of  the  device,  which  looks  like  a 
small  ATM  and  includes  a  keypad  for  an 
optional  third  authentication  method. 
“It’s  very  quick,  very  efficient  and  very 
accurate.” 

Transport  Canada  recently  mandated 
that  ports  have  a  way  to  prove  a  person 
holding  an  issued  access  card  is  the 
person  it  was  issued  to— a  concept  known 
in  security  as  nonrepudiation.  Helm  said 
few  options  besides  biometrics  were 
feasible  as  a  nonreputable  second  factor. 
But  biometrics  are  a  challenge  because 
they  make  many  people  uncomfortable 
and  there  is  an  accuracy  concern  on  both 
ends.  Too  many  false  positives  mean 
responding  to  meaningless  alarms.  Too 


many  false  negatives  mean  the  security 
is  easy  to  bypass.  So  in  cooperation  with 
the  heads  of  various  labor  forces  working 
at  the  port,  from  the  cruise  industry  to 
the  trucking  and  container  industries, 
Helm  set  out  to  find  the  least  invasive 
form  of  biometrics  that  was  still  accurate 
and  efficient. 

“We  really  challenged  the  industry 
and  vascular  scanning  came  up  the  best,” 
says  Helm.  “It  was  quick— labor  liked 
that.  And  it  didn’t  have  as  high  a  false¬ 
positive  rate  as  some  other  techniques.” 

The  biggest  challenge  for  the  access 
project  turned  out  to  be  Nova  Scotia 
itself.  None  of  the  devices  Helm  tested 
could  stand  up  to  Halifax’s  weather 
conditions.  Snow,  freezing  rain,  wind  and 
salt  wreaked  havoc  with  some  of  the  sen¬ 
sitive  biometric  readers.  Helm’s  vendors 
were  forced  to  put  in  extra  research  and 
development  so  that  their  devices  would 
continue  to  operate  in  poor  weather 
conditions.  -Scott  Berinato 


Photo  by  top  by  AP/Wide  World  Photos;  bottom  by  istockphoto 


The  HID  RP40  multiCLASS™  Reader  reads  the  most 
popular  proximity  cards  and  smart  cards.  It’s  the 

ultimate  migration  solution.  The  RP40  is  a  multi-technology 
card  reader  that  makes  it  easy  to  upgrade  a  proximity  card  system  to  a 
13.56  MHz  contactless  smart  card  technology  such  as  HID  iCLASS®. 
Whether  you’re  making  the  transition  in  a  single  building  or  across 
multiple  facilities,  you  can  do  it  at  your  own  pace,  employing  multiple 
card  technologies.  Unlike  other  “smart”  card  readers  that  only  scan  the 
serial  numbers  of  iCLASS,  the  RP40  offers  the  enhanced  security  of 
mutual  authentication  and  data  encryption.  Convenient.  Flexible. 

Secure.  For  the  perfect  migration  path,  The  HID  RP40  multiCLASS  is 
required  reading. 


hidcorp.com 


>>  BRIEFING 


Five  Things  to  Remember  When  Working  After  Hours 


t  e’ve  all  done  it-worked  into  the  wee  hours  of  the  morning  only 
to  realize  that  we’re  now  alone,  the  parking  lot  is  deserted, 
and  no  one  knows  where  we  are.  Working  late  and  on 
weekends  is  often  a  necessary  evil,  but  it’s  important  to  take 
precautions  to  avoid  safety  issues  when  you  do  have  to  burn  the 
midnight  oil.  We  talked  to  Kroll’s  managing  director,  Timothy 
Horner,  for  some  tips  to  keep  you  and  your  employees 
safe  after  hours. 

Notify.  Tell  your  boss  that  you’re  working  late.  Notify 
internal  security  staff;  in  some  cases  this  also  includes 
building  security.  In  fact,  program  the  number  for  building 
security  into  your  cell  phone  ahead  of  time.  And  don’t  forget 
to  tell  your  family  so  that  they  aren’t  unduly  alarmed  when  you  don’t 
arrive  in  time  for  dinner. 

Use  common  sense.  Avoid  unsecured  areas,  like  common  rest¬ 
rooms,  fire  staircases  and  back  alleys.  Use  main  transportation  routes.  If 
there’s  a  main  elevator,  use  that  instead  of  the  fire  stairs. 


Use  cameras  to  your  advantage.  Be  aware  of  areas  in  your  build¬ 
ing  that  are  monitored  by  closed-circuit  TV  and  work  only  in  those  areas 
if  possible.  Also,  be  aware  of  what  you  leave  on  your  desk  when  working 
late,  taking  extra  care  to  safeguard  your  valuables. 

Re-notify.  When  you  leave  the  building  at  night,  notify 
security  and  call  your  family  so  that  they  know  to  expect  you. 
Be  aware  of  what  the  corporate  policy  is  on  working  late  and 

asm  abide  by  that  policy. 

Park  smart.  Before  it  gets  too  late,  move  your  car  in 
the  parking  lot  to  a  well-lit  area.  If  you  are  working  in  a 
metropolitan  area,  arrange  for  a  car  service  or  a  cab  to  pick 
you  up. 

Common  sense,  says  Horner,  is  the  most  effective  tool  for  staying 
safe.  Avoiding  working  late  altogether  is  even  better.  But  if  you  must,  try 
to  “do  it  as  a  team.  Stay  together  while  you’re  working,”  he  says,  “and 
leave  the  office  together  when  you’re  done.”  -Kathleen  S.  Carr 


aaaaAAI 

/XXXXaI 

mAA/v 

(  4  /  A  A  A 


PERIMETER  SECURITY 

RIDING  THE 
FENCE  LINE 

New  technology  allows  security  to 
remotely  monitor  perimeter  fences 

It  had  to  happen,  right?  Smart  cameras.  Smart  doors.  Now, 
the  latest  physical  security  product  to  get  smart  is  the 
fence. 

The  newest  wrinkle  being  added  to  perimeter  fencing 
is  geographical.  An  Australian  vendor,  Future  Fibre  Technolo¬ 
gies,  which  makes  fiber-optic  perimeter  sensors,  is  linking 
up  its  sensors  to  global  positioning  so  that,  when  the  sensors 
detect  a  fence  breach,  they  can  deliver  the  exact  latitude  and 
longitude  of  an  event,  pinpointing  the  precise  spot  of  trouble. 

Older  systems  would  divvy  up  perimeter  fences  into 
zones.  When  a  breach  occurred,  the  sensors  would  report  that 
something  had  happened  somewhere  within  that  zone,  within 
25  yards  of  the  actual  event.  With  the  global  positioning  inte¬ 
gration,  the  new  sensors  give  the  exact  location  of  the  breach. 
This  saves  response  time,  making  nuisance  alarms  less  time 
consuming  and  allowing  a  quicker  response  to  real  alarms. 


\AAa  a  a 

7/v  -vi 

WryvOd 

M/M I 

M-t  v  a 


m 


soDnlme.ca 

'  V\Aa  a 

\AaYV\. 


What’s  more,  it  opens  up  the  sensors  to  new  applications, 
such  as  overlaying  alerts  with  Google  Earth  maps  and  auto¬ 
matically  moving  one  of  those  smart  cameras  to  zoom  in  on 
the  trouble  spot  based  on  the  coordinates  of  the  event. 

The  technology  comes  at  a  time  of  renewed  interest  in 
barriers  as  security  measures  (see  a  recent  blog  posting  by 
CSO  Executive  Editor  Scott  Berinato  on  this  topic  at  http:// 
blogs.csoonline.com/comment/reply/271 ).  New  walls  have 
been  installed  recently  to  create  divisions  between  politically 
contentious  neighborhoods  and  along  contentious  borders-in 
Israel,  between  India  and  Kashmir,  and  most  recently  within 
Iraqi  towns  where  Sunni  and  Shia  sects  are  warring. 

These  walls  are  almost  always  called  security  fences  and 
are  much  more  complex  than  simple  vertical  barriers.  For 
years,  fences  have  been  evolving  to  become  complex  security 
systems  that  include  barriers,  traps  and  intrusion  detection. 
The  technologies  used  to  make  up  these  complex  systems 
range  from  the  ancient  to  the  cutting  edge.  Recent  advances 
include  electronic  motion  detection  and  infrared  cameras.  But 
the  fences  still  employ  old-fashioned  security  measures  as 
well,  like  razor  wire,  ditches,  berms  and  raked  sand  for  pick¬ 
ing  up  footprints. 

The  latest  GPS-based  sensors  will  make  smart  fences  even 
smarter.  -Scott  Berinato 


\  ?VV\t\rvrV 


BIGFIX  Discovery  7.0  specifications 


Engine 

Real-time  &  Policy-driven 

Torque 


Con^ressiqo 


Acceleration 


Heiqht/Widtih 


server  per  200K  endpoints 


AV  to  1 0K  devices  <  4  hrs 


D^taoefTjit  i^ANDesk 


Days' Weeks  into  Mins/Hrs 


Transmission/  $  •  fcP  andpac!/  !5mn 


One-and-only  BigFix  agent 


Braking  iatsafes  I  P'ftcor&r&onans  inn 


viewing  Radius  .  xxCote'-fv  - 


:  2%  CPU,  1 0MR  ;k  space 


Test  Data 
‘verified  in  Settle 


Eliminate  attacks,  malware, 
&  rogue  devices 


Discovered  400  rogue  assets 
per  week  on  a  50K,  endpoint 

network  spanning  S  X 

locations. 


W  i 


are  pleased  to  announce  BIGFIX  Discovery  7.0, 
available  for  immediate  delivery.  Now  you  can 
conquer  your  IT  time  an 
space  with  real-time  visibility 
and  control  across  hundreds 
of  thousands  of  servers  and 
endpoints  in  minutes!  Yes 
minutes.  With  The  Ultimate  IT 
Machine’s  1 -server-to-200, 000- 
endpoint  ratio,  you’ll  experience 
unmatched  performance  &  economics. 

Not  just  “Big”  Intergalactic!  And 
contrary  to  what  you  need  with 
LANDesk/Microsoft/McAfee/Symantec 
et  al,  the  new  BigFix  Distributed  Server 
Architecture  eliminates  fleets  of  servers  and 
armies  of  consultants.  Best  of  all,  BigFix 
Discovery  7.0  can  even  show  you  what  those 
guys  are  (NOT)  really  doing  for  you  on  all  your 
computers — Windows,  Vista,  even  Linux/Unix 
and  Mac  systems.  And  we’ll  prove  it, free. 

At  your  site.  Which  is  why  they’re 
running  scared.  Really  scared. 

Schedule  a  free  test  drive  to 
show  how  fast  we  hyperpower  you  at 
www.biafix.com/discoverv7.  or  call  51 0- 
xl  1 6.  We’ll  also  send  you  this  vehicle 


-652-6700 
data  sheet 


B  I  G  F  I  X* 

Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


The  BIGFIX  Discovery  7.0  platform  shown  above  is  equipped  with  a  black 
leather  interior  and  combat  ace  designations  for  wholesale  destruction  of 
Altiris,  LANDesk,  McAfee,  Microsoft,  and  Symantec. 


©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  acknowledged.  Illustrations  by  Daryl  Mandryk. 


TR8A 


>>  BRIEFING 


Q&A 

The 

Numbers 

Man 

tthe  most  basic  level, 
cryptography  is  the 
science  of  using  math 
to  protect  information. 
Paul  Kocher,  president  and 
chief  scientist  at  Cryptography 
Research,  has  made  a  career  out 
of  using  these  algorithms  to  pro¬ 
tect  companies  from  fraud  and 
piracy.  CSO  talked  with  him  about 
cryptography’s  history,  present, 
future,  and  how  it  will  continue 
to  fit  into  the  changing  security 
landscape. 

How  has  cryptography 
evolved  over  the  years? 

More  than  a  hundred  years 
ago  it  was  almost  exclusively 
the  domain  of  governments. 

The  largest  wide-scale  user  of 
cryptography  was  the  Catholic 
Church.  In  order  to  manage  its 
empire,  the  church  needed  to  be 
able  to  communicate  with  remote 
outposts  and  ensure  those  com¬ 
munications  were  both  secret 
and  unmodified,  so  cryptography 
was  an  essential  piece  of  that.  In 
wartime  it  became  critical  from 
a  government  perspective.  The 
paths  by  which  information  was 
physically  transported,  whether 
telegraph  or  radio,  were  inher¬ 
ently  vulnerable  to  capture  and 
eavesdropping,  so  cryptography 
was  very  important.  In  the  1970s, 
banks  became  significant  users 
because  they  realized  they  had 
large  networks  and  little  ability 
to  physically  secure  communica¬ 
tion  channels.  Today,  the  trend 
is  toward  a  more  broad  use  of 
cryptography.  It’s  showing  up  in 
virtually  any  sort  of  electronic 
device  that  has  to  process  infor¬ 
mation  with  security  attached  to 
it.  You’d  be  hard-pressed  to  think 
of  any  gadget  these  days  that 


processes  information  yet  doesn’t 
use  cryptography  to  some  degree. 

What  are  some  of  the 
potential  future  applications? 

In  10  years,  cryptography  will 
be  cheap  enough  to  use  in  order 
to  protect  brand  identity.  For 
example,  toothpaste  coming  from 
China  that  is  bearing  the  brand 
of  a  company  that  didn’t  make  it. 
There’s  a  huge  incentive  for  that 
brand  to  put  a  chip  associated 
with  their  product  that  proves  it’s 
their  product  and  not  an  impostor. 
I  also  think  it’s  inevitable  that  we 
will  see  chips  in  every  ID  card  or 
credit  card.  They’ll  all  become 
cryptographic  devices. 

What  kinds  of  attacks  are 
cryptosystems  subject  to? 

The  one  thing  you  don’t  need 
to  worry  about  with  modern 
systems  is  that  the  algorithms 
will  break.  If  you’re  using  the 
advanced  encryption  standard  or 
the  RSA  algorithm  with  1,500-bit 
or  larger  keys,  those  systems 
are  incredibly  unlikely  to  be 
broken  by  someone  directing  a 
mathematical  attack  against  the 
design.  Where  they  fail  is  in  the 
implementation.  If  the  keys  to 
unlock  the  data  can  be  accessed 
without  having  to  do  a  frontal 


assault  on  the  algorithm,  then  the 
security  can  break.  The  number- 
one  issue  is  implementation  bugs: 
software  where  you  have  buffer 
overflows  that  will  let  someone 
break  into  a  machine.  It  doesn’t 
matter  how  strong  the  cryptog¬ 
raphy  is  if  someone  is  running 
malicious  code  in  the  CPU  and  can 
access  the  key.  The  problem  with 
implementation  defects  is  getting 
worse  as  systems  become  more 
complicated.  The  global  trend  is 
toward  less  security  and  easier 
access  for  those  interested  in 
tampering  with  data. 

How  can  we  overcome  this? 

On  the  one  hand,  it’s  just  the 
landscape  we  have  to  deal  with, 
but  there  are  technology  deci¬ 
sions  that  can  make  a  dramatic 
difference.  In  my  company,  we 
deal  with  highly  sensitive  data, 
so  we  run  a  network  with  no 
connections  to  the  outside  world. 
That  immediately  solves  a  lot  of 
problems.  If  you  ask  yourself, 
“Could  this  system  be  broken?” 
the  answer  is  always  going  to  be 
yes  or  maybe.  No  useful  system 
is  impenetrable.  But  if  you  think 
of  it  as  a  risk  equation  and  ask 
yourself  if  the  value  delivered  by 
this  system  is  appropriate  for  the 


risks  it  introduces,  and  are  there 
ways  you  can  reduce  those  risks, 
very  often  you  find  effective  tech¬ 
niques  that  don’t  cost  very  much. 

Looking  ahead,  what  will 
be  the  biggest  challenges  for 
security  of  cryptosystems? 

We’ve  already  talked  about 
the  challenge  of  increasing  com¬ 
plexity,  which  is  making  it  more 
difficult  to  protect  information. 
The  second  dimension  to  that  is 
the  problem  of  user  education. 

It’s  pretty  easy  to  build  a  security 
system  where  a  perfect  user  could 
operate  it  securely  but  end  users 
aren’t  necessarily  consistent  in 
doing  things  right.  The  third  is  an 
economic  challenge.  People  who 
suffer  the  risk  and  those  who  are 
in  a  position  to  pay  for  and  deploy 
mitigation  measures  are  differ¬ 
ent  entities,  which  results  in  an 
economically  suboptimal  spend¬ 
ing  on  security.  The  big  nasty 
problems  like  spam,  piracy  or 
operating  system  security-these 
are  problems  where  entities  who 
do  not  suffer  the  brunt  of  the 
problem  are  the  ones  securing 
mitigation  measures.  ISPs  have 
the  largest  control  over  spam,  but 
the  recipient  incurs  the  cost.  Simi¬ 
larly,  if  an  OS  security  disaster 
affects  your  laptop,  Microsoft  isn’t 
spending  thousands  of  dollars  to 
fix  it;  you  are. 

So  how  do  we  go  about 
mitigating  these  risks? 

In  many  cases  we  don’t.  When 
there  is  a  lack  of  alignment  with 
economic  interests,  there  are 
really  two  approaches  that  can 
solve  the  problem:  technologi¬ 
cal  changes  that  realign  control 
into  the  hands  of  the  entities  that 
incur  the  risk,  and  legislative 
solutions.  Those  would  include 
mandates  that  ISPs  filter  outgo¬ 
ing  messages  that  are  [going  in 
high  volumes]  and  that  particular 
product  protection  technologies 
be  implemented.  That  may  be 
inefficient,  but  in  many  cases 
it’s  the  only  way  to  handle  these 
problems.  -  Katherine  Walsh 


24  www.csoonline.com  November  2007 


Photo  by  Paul  Chinn/Corbis 


Solving  Real-World 
Security  Challenges 
throughout  the  year 


Perspectives 

Becoming  the  Complete  CSO 


InterContinental-Buckhead 
Atlanta,  Georgia 


Register  today  at  www.CSOonline.com/conferences 

or  for  more  information  call  800.366.0246. 


■  '  Hi;  f'H 

■  '  : 


Upcoming  event  sponsors  include 

•  1 1 1  •  1 1 1  • 
CISCO. 


Presented  by 


♦ 


Sun 

microsystems 


BUSINESS  RISK  LEADERSHIP 


26 


www.csoonlme.com 


November  2007 


COVER  STORY  | 


SECURITY 


PHYSICAL 


This  New  England  school  was  built  to  maximize 
sight  lines-for  teachers,  administrators  and 
surveillance  cameras-without  sacrificing 
aesthetics. 


These  days,  when  towns  approve 
funding  for  new  high  schools 
they  demand  trendy  architects, 
high-end  sports  complexes  and 
security.  Lots  and  lots  of  security. 
Of  course,  demanding  security  has 
virtually  nothing  to  do  with  making 

it  effective... 
By  Scott  Berinato 


November  2007  www.csoonline.com  27 


Photography  by  Furnald/Gray 


COVER  STORY  |  PHYSICAL  SECURITY 


ABOUT  FOUR  YEARS  ago,  in 
a  New  England  suburb,  voters 
agreed  to  raise  their  taxes  in 
order  to  build  a  new,  $64  million 
high  school.  The  old  school  was 
a  hundred  years  old  and,  if  you 
blocked  out  the  spiritless  addi¬ 
tion  tacked  on  in  the  ’60s,  it  was 
magnificent  to  look  at.  But  the 
place  was  crumbling.  It  strained 
to  support  modern  educational 
basics  like  computer  labs  and 
lacrosse  practices. 

It’s  important  to  note  here  that  in  the 
early  21st  century,  one  no  longer  builds 
a  high  school.  One  builds  a  campus.  The 
trend  in  public  school  design  comes  from 
realty,  “curb  appeal,”  and  with  the  trend 
comes  the  attendant  jargon.  Auditoriums 
have  become  performing  arts  centers,  caf¬ 
eterias  are  dining  commons  and  the  gym 
is  part  of  an  athletic  complex.  Parents, 
home  buyers,  even  prospective  teachers 
increasingly  (perhaps  erroneously)  judge 
a  town’s  quality  of  education  by  the  quality 
of  its  buildings.  Schools  have  become  civic 
marketing.  They  must  attract  the  best 
educators,  increase  property  values  and 
even  generate  revenue. 

And  they  must  be  modern  marvels  of 
safety  and  security.  Security  is,  in  fact,  a 
major  element  in  contemporary  school 
design,  and  it  is  as  much  or  more  a  part  of 
curb  appeal  as  FieldTurf. 

Security  earned  this  status  in  1999,  after 
the  shooting  massacre  at  Columbine  High 
School  in  Colorado.  Despite  the  fact  that  a 
student’s  odds  of  being  murdered  at  school 


Wrangling  over  Risks 

A  sample  of  design  issues  and  stakeholders’  concerns 

Small  or  Large  Windows  on  Classroom  Doors 

Stakeholders'  positions:  Teachers  wanted  small  windows  so  that  a  gunman  would 
have  limited  visibility  and  a  difficult  time  opening  a  locked  door.  Facilities  and  the 
principal  wanted  large  windows,  arguing  that  increased  visibility  between  class¬ 
rooms  and  the  hall  would  offset  more  common  risks  like  fights,  theft  and  vandalism. 
Minor  consideration:  Aesthetically,  larger  windows  are  more  welcoming. 

The  winner:  Facilities  and  the  principal  got  their  big  windows, 
in  part  by  arguing  that  if  a  gunman  really  wanted  to  get  in,  he 
would  be  able  to,  even  if  the  windows  were  smaller.  In  essence, 
visibility  won  over  lockdown  mentality.  Some  teachers  have  since 
come  around  on  the  windows. 

Cameras  in  Stairwells 

Stakeholders'  positions:  Facilities  wanted  cameras  to  com¬ 
plete  visibility.  The  building  committee  said  there  were  legal 
complications  to  monitoring  in  those  stairways  and  wanted  to 
“value  engineer  them  out”  (eliminate  them  to  cut  costs)  believing 
that,  given  the  potential  privacy  issues,  they  were  unnecessary  overkill. 

Minor  consideration:  The  tall,  columnar  space  of  a  four-floor  stairwell  presents 
some  challenges  in  camera  placement  and  use. 

The  winner:  Stairwell  cameras  were  cut  from  the  plan.  Facilities  maintains  that  no 
legal  restrictions  exist  and  this  was  a  clear  cost-cutting  move.  Students  have  already 
learned  that  the  stairwells  are  unwatched,  and  they  go  there  to  smoke  and  cause 
trouble.  Cameras  may  yet  be  added  there. 

Police  Access  to  Security 

Stakeholders'  positions:  Police  department  wanted  full  access  to  the  school’s 
cameras  along  with  remote  control  capabilities.  Police  also  wanted  access  to  the 
software  that  governs  doors,  lighting  and  lockdowns  so  that  they  could  take  com¬ 
plete  charge  of  the  school  in  a  crisis.  School  stakeholders  felt  this  level  of  access  was 
unnecessary,  could  lead  to  abuse  of  privilege  with  less  severe 
situations  and  could  be  potentially  dangerous  if  both  school 
officials  and  law  enforcement  were  trying  to  control  the 
system  at  the  same  time. 

Minor  consideration:  More  people  with  access  would  mean 
more  people  to  train  and  manage  in  terms  of  access  control. 
The  winner:  Mostly  the  school.  Administration  managed  to 
limit  police  to  being  able  to  view  camera  feeds  without  the 
ability  to  control  the  cameras,  and  it  did  not  give  access  to 
the  other  security  systems. 

Keypad  Access  Points  on  External  Doors 

Stakeholders'  positions:  Law  enforcement  and  some  facilities  members  wanted 
keypads  added  for  optional  access  control,  which  they  argued  would  be  useful 
as  backup  and  if  faculty  and  staff’s  wireless  fobs  were  lost  or  their  use  was  being 
abused.  Facilities  director  argued  this  was  “one  more  thing  to  break  and  fix.” 

Minor  consideration:  Keypads  could  be  activated  for  revenue-generating,  off- 
hours  activities  with  many  strangers  on  the  premises,  like  leaguewide  tournaments. 
The  winner:  Everyone  or  no  one,  depending  on  how  you  look  at  it.  The  school  spent 
the  money  to  install  the  keypads  but  currently  they  are  not  used. 


28  www.csoonline.com  November  2007 


Enclosed  courtyards  provide  students  with  a 
gathering  space;  windows  everywhere  provide 
real  and  perceived  accountability. 


mis  am 

SU«n 


today  are  less  than  one  in  two  million— a 
risk  two  and  a  half  times  less  likely  than 
drowning  in  a  bath  tub— parents  and  teach¬ 
ers  have  internalized  the  vanishingly  rare 
but  ubiquitously  publicized  events  like  the 
shootings  at  Columbine  and  Virginia  Tech. 
These  events  are  used  to  justify  extreme 
levels  of  security  that,  if  you  haven’t  gone  to 
high  school  in  the  past  decade,  you  may  find 
difficult  to  comprehend. 

As  elements  of  a  school’s  curb  appeal 
go,  security  is  probably  the  most  compli¬ 
cated.  You  can’t  just  rename  something 
or  lay  it  down  like  plastic  grass  and  pro¬ 
tect  it  against  all  risks  equally.  So  before 
construction  at  this  school  started,  the 
architect,  Mary  (all  names  in  the  story 
have  been  changed),  brought  the  principal 
stakeholders  to  city  hall.  Around  the  table 
sat  the  principal;  representatives  from  the 
police,  fire  and  the  building  committee; 
Brad,  the  district’s  head  of  facilities;  and 


Mary  herself.  Sometimes  the  mayor  sat 
in.  Essentially,  this  committee  operated  as 
both  the  CSO  and  the  business  stakehold¬ 
ers  the  CSO  reported  to.  Their  job  was  to 
satisfy  as  best  they  could  all  the  stakehold¬ 
ers’  agendas  while  still  effectively  reducing 
risk,  and  then  defend  their  decisions  with 
each  other  and  with  the  community,  with 
parents  especially,  who  Brad  says,  “happen 
to  have  the  most  to  lose  and  the  least  under¬ 
standing  of  risk.” 

It  was  as  difficult  as  it  sounds  and  it 
required  difficult  conversations.  Everyone 
agreed,  for  example,  that  the  school  should 
have  smart  doors  that  have  magnetic  locks 
and  can  be  controlled  by  computer.  But  the 
police  rep  rather  intensely  demanded  that 
the  architects’  design  allow  for  complete 
lockdown  of  all  doors.  Lockdown  can  keep 
a  gunman  out,  or  at  least  slow  him  down. 
Reduce  the  number  of  people  shot  dead. 

The  fire  department  rep  protested  with 


vehemence.  He  mandated  that  doors  stay 
open  on  each  of  the  school’s  four  floors  at 
all  times.  He  was  imagining  the  crush  of 
students  and  teachers  trapped  in  a  locked 
down  building  during  a  fire. 

So  they  tried  to  compromise  by  allow¬ 
ing  for  a  few  doors  to  stay  open  plus  add¬ 
ing  a  fire  alarm  override  of  lockdowns.  But 
then,  what  if  the  gunman  is  smart  enough 
to  pull  a  fire  alarm?  Brad,  the  district’s  head 
of  facilities,  remembers  the  meeting  as  a 
wrenching  exploration  of  risk.  He  remem¬ 
bers  thinking,  “We’re  basically  talking 
about  which  is  more  likely  to  happen,  a  fire 
killing  a  lot  of  students  or  a  gunman  killing 
a  lot  of  students,  and  how  many  students 
each  would  kill.” 

What  about  accidental  explosions? 
What  if  we  find  weapons  in  a  locker?  Bomb 
threats?  What  about  a  violent  spouse  in 
a  nasty  custody  battle  showing  up?  The 
more  risks  they  discussed,  the  more  they 


November  2007  www.csoonline.com  29 


COVER  STORY  |  PHYSICAL  SECURITY 


conjured  up.  Brad  says  that  a  teacher  had 
been  killed  in  her  home  in  this  city  in  recent 
years,  as  had  a  student’s  mother  in  a  sepa¬ 
rate  incident,  a  visceral  reminder  of  what 
was  at  stake. 


“This  is  the  hard  part,”  says  Mary,  who 
insisted  that  these  meetings  take  place  and 
described  them  as  cordial  and  professional 
but  also  exhausting.  “There  are  code  con¬ 
straints  and  safety  constraints  and  design 


The  School 

Design  details  of  the  New  England  suburban  school 


Style 

“Modem,  New  England  vernacular,  with  interpretive  historic 
references” 

Opened 

2006 

Stadium 

Planned  opening  for  Thanksgiving  football  game,  2007 

Footprint 

120,000  sq.ft. 

Space 

340,000  sq.  ft. 

Students 

Approx.  1,500 

$$  Build 

$64  million 

$$  Security 

$500,000+ 

Cameras 

■  Approx.  60  (40  interior,  20  exterior),  high-res,  color  with  full 
pan-tilt-zoom 

■  On  four  networks  with  DVRs 

Doors 

■  Automatic  smart  doors  with  magnetic  lockdown  hardware 

Management 

■  One-dick  building  lockdown 

■  Secure  management  interface  for  police,  fire.  Event-based 

programming  of  doors,  lights,  cameras 

Access 

■  Wireless  fob  for  faculty  and  staff  programmed  to  privilege  levels 

■  Event  logging 

■  Optional  keypad  authentication 

CPTED 

■  Long  sight  lines  allow  all  hallways  to  be  monitored  by  12  teachers. 

Bathrooms,  benches  at  hubs  to  encourage  gathering  close 
to  teachers 

■  Courtyards  surrounded  by  windows 

■  Limited  landscaping  around  perimeter 

■  Anti-graffiti  brick  halfway  up  many  walls 

■  Faculty  lunchroom  above  cafeteria,  windows  look  down  to  cafe 

■  Large  windows  on  classroom  doors 

Other 


Motion  detection 

Can  accommodate  temporary  metal  detectors  at  main  entry 
for  security  situations  or  after-hours  events  like  league-wide 
tournaments 

Designed  as  City’s  Emergency  Preparedness  Center  with  fuel  cells, 
backup  generator  and  more  stringent  building  codes  to  serve  as 
rescue  center  in  a  disaster 


constraints  and  they  don’t  always  work 
hand  in  hand.  Sometimes  you  have  to 
choose  one  over  the  other.  Those  are  hard 
conversations.” 

Ultimately,  it  took  six  meetings  to  come 
up  with  a  security  design  that  everyone 
could  agree  on.  Brad  pushed  hard  for  some 
features;  Mary  pushed  back.  The  principal 
was  adamant  about  other  elements.  The 
police  wanted  lots  of  access  and  got  some 
of  it.  The  city  invested  more  than  $500,000 
on  security  in  the  building  phase  alone. 
“Credit  to  Mary,”  says  Brad,  “it’s  a  beautiful 
school.  But  from  a  security  perspective  it 
was  a  difficult  process  to  get  here.” 

What  follows  is  an  exploration  of  that 
design,  how  it  worked  in  its  first  year  in 
operation  and  what  the  various  stakehold¬ 
ers  have  learned— and  are  still  learning— 
about  securing  the  suburban  high  school. 

The  Security  You  Notice 

THE  NEW  SCHOOL  is  described  by  the 
architect  as  “modern,  in  the  New  England 
vernacular,”  but  a  student  pulling  into  the 
lot  for  the  first  time  probably  wouldn’t 
think  of  that.  She’d  think  that  the  school 
looks  really  long.  Using  a  dramatic  hori¬ 
zontal  profile,  Mary  fitted  a  four-floor, 
340,000-square-foot  building  onto  a 
120,000-square-foot  footprint,  preventing 
that  massiveness  from  feeling  as  imposing 
as  it  otherwise  might. 

The  student  would  notice  plenty  of 
security  throughout  her  day,  though.  In  the 
parking  lot,  she  would  pass  under  surveil¬ 
lance  cameras  fixed  on  posts  higher  than 
the  flagpoles.  Approaching  the  front  door, 
she’d  cross  a  stately  row  of  lampposts  that 
hang  in  a  style  mimicked  by  more  cameras 
bolted  to  the  front  of  the  building.  This  is 
no  accident.  Architects  want  the  cameras 
to  blend  in  so  that  they  don’t  disturb  the 


30  www.csoonline.com  November  2007 


overall  look  of  the  place,  and  the  adminis¬ 
tration  wants  the  cameras  to  blend  in  such 
that  they  appear  neither  covert  nor  hostile. 
In  this  case  the  aesthetic  and  the  security 
are  in  perfect  harmony. 

In  the  bright,  open  lobby,  windows  to 
the  left  look  in  on  the  school  offices,  and 
the  student  won’t  miss  the  four  flat-panel 
screens  broadcasting  feeds  from  the  sur¬ 
veillance  cameras.  They’re  the  first  thing 
that  catches  her  eye  when  she  enters  the 
lobby,  and  that’s  the  point.  But  the  message 
to  her  isn’t  meant  to  be  “We’re  watching 
you”  but  rather  “We’re  protecting  you  and 
we  have  nothing  to  hide.”  The  fact  that  the 
feeds  are  in  high-resolution  color,  not  grainy 
black-and-white,  and  that  John,  the  facility 
manager  who  operates  them,  chooses  to  put 
only  one  feed  on  each  screen,  rather  than  a 
windowpane  of  15  feeds,  makes  them  seem 
less  menacing,  less  omniscient. 

As  the  student  drops  her  books  in  her 
locker,  she  notices  the  cameras’  tinted 
domes  punctuating  the  hallway  ceilings, 
just  like  the  ones  at  stores  in  the  mall.  She’s 
heard  from  friends  that  some  cameras, 
she’s  not  sure  which  ones,  can  pan,  tilt  and 
zoom  all  around. 

Later,  when  the  student’s  staring  out  the 
window  during  trig  class,  she  sees  exterior 
cameras  that  lord  over  one  of  two  court¬ 
yards.  She  can’t  miss  the  cameras  watching 
her  eat  Tater  Tots  in  the  cafeteria. 

She  won’t  count,  but  there  are  about 
60  cameras  total.  She  might  not  know  that 
John  will,  as  part  of  his  nothing-to-hide 
philosophy,  let  her  see  and  operate  the 
cameras,  and  show  her  the  stack  of  DVRs 
that  capture  all  the  video.  He’s  done  this  for 
several  students  already.  He  shows  them 
how  every  time  a  teacher  uses  the  wireless 
fob  to  open  a  door,  the  event  is  logged,  and 
that  the  event  can  be  matched  up  to  video  of 


the  event.  He  shows  how  if  someone  pushes 
on  a  locked  door,  the  event  is  logged,  and 
if  someone  leaves  a  door  open  too  long,  the 
event  is  logged  and  it  triggers  an  alarm  on 
his  computer.  He  shows  how  he  can  lock 
the  entire  building  down  with  one  click  and 
preset  the  time  doors  unlock  and  lights  turn 
on.  He  might  mention  that  the  police  have 
secure  access  to  the  camera  views.  “Usually, 
their  jaws  drop,”  says  John. 

Many  corporate  CSOs  would  love  to 
have  John’s  system.  But  while  its  capabili¬ 
ties  would  surprise  the  student  at  first,  both 
Brad  and  John  say  she  wouldn’t  be  particu¬ 
larly  fazed  by  it.  It’s  a  generational  thing. 


Kids  just  don’t  care;  they  live  their  lives 
under  surveillance.  And  besides,  both  men 
say,  the  student’s  probably  sawier  than  you 
think.  She  almost  certainly  already  knows 
that  there  are  no  cameras  in  the  stairwells  at 
each  end  of  the  building  and,  if  she  smokes, 
that’s  where  she’ll  light  up. 

Nor,  they  say,  is  she  fazed  by  perhaps 
the  most  visible  security  measure  of  all,  the 
onsite  uniformed  police  officer.  She  and  her 
friends  trade  text  messages  during  the  day 
to  let  each  other  know  where  the  cop  is  sta¬ 
tioned.  She  knows  that  the  school  is  locked 
during  class  and  if  she  leaves,  she  can’t  get 
back  in  without  buzzing  the  front  desk 


Statistics  lOl 


Injury  and  fatalities  at  school  are,  generally,  trending  downward,  and  the  risk 
of  dying  at  school  remains  vanishingly  rare.  But  the  risk  is  so  spectacular 
that  competing  towns  find  themselves  building  in  the  latest  high-tech  secu¬ 
rity  to  attract  the  best  educators  and  also  satisfy  the  demands  of  parents 
who  believe  the  risks  are  more  common  than  they  are.  Some  numbers... 


1  in  2  million 


Chances  of  a  K-12  student  dying  at 
school  by  violence  or  suicide 


5«5  Percent  of  K-12  students  were  victims  of  theft  or  violent  crime  at  school 
81  Percent  of  schools  reported  one  violent  incident  or  more  at  their  site 
27  Percent  reported  bullying 
17  Percent  reported  undesirable  gang  activity 
11  Percent  reported  verbal  abuse  against  teachers 
3  Percent  reported  undesirable  extremist/cult  activity 
3  Percent  reported  widespread  disorder  in  a  classroom 
2  Percent  reported  racial  tension 

6/S 
4/2 


Percent  of  teachers  were  threatened  with  injury  by  a 
student  in  an  elementary/secondary  school 

Percent  of  teachers  reported  being  physically  attacked 
by  a  student  in  an  elementary/secondary  school 


21  Percent  of  students  in  suburban  schools  reported  gang  activity 
18  Percent  of  males  had  been  in  a  fight  on  school  property  in  the  last  12  months 
IO  Percent  of  males  carried  a  weapon  on  school  property  in  the  last  30  days 
41  Percent  of  students  drank  alcohol  on  school  property  in  the  last  30  days 
5  Percent  of  students  used  marijuana  on  school  property  in  the  last  30  days 

Source:  U.S.  Department  of  Justice  Statistics  on  School  Crime  and  Safety  for  the  2004-05 
School  Year  (the  most  recent  data  available),  based  on  55  million  enrolled  K-12  students 


November  2007  www.csoonline.com  31 


COVER  STORY  |  PHYSICAL  SECURITY 


and  having  to  explain  herself.  She  knows 
that  teachers  carry  small  wireless  fobs  that 
open  the  locked  doors. 

Before  soccer  practice  one  afternoon, 
one  student  confirms  all  of  this  and  she 
adds:  “The  cameras  are  dumb.  I  had  my 
cell  phone  stolen  and  the  camera  wasn’t 
pointed  in  the  right  direction  to  catch  the 
kid.”  Indeed,  students  have  come  to  think 
of  the  cameras  as  an  asset— they  ask  John 
to  review  tape  to  see  if  they  could  catch 
whoever  stole  their  cell  phone  or  bike.  “We 
encourage  that,”  says  John.  “We  want  the 


The  Five 
Elements 
of  a  School 
Security 
Plan 

Often  people  think  of  a  security 
plan  as  just  crisis  response: 
what  you  do  when  something 
bad  happens.  In  fact,  that’s  just 
the  fifth  element  of  a  comprehensive 
plan.  Here  are  the  elements  you  should 
think  about  when  creating  a  facilities 
security  plan. 

Deterrence.  Training,  aware¬ 
ness,  lighting,  signage,  perimeters, 
visible  cameras,  human  interaction, 
CPTED  design 

Detection.  Surveillance,  patrol, 
motion  detection,  alarms,  anonymous 
tip  lines 

Delay.  Locks,  lockdown  doors, 
lockdown  procedures,  vestibules  and 
mantraps,  glazing 

Communication.  PA  with  battery 
backup,  two-way  radios,  cell  phone  poli¬ 
cies  and  procedures,  e-mail  and  texting 
capabilities,  PR  response  plan 
Response.  Security  team  proce¬ 
dures,  law  enforcement,  fire  and  civic 
liaisons,  lockdown  procedures 

Source:  Paul  Timm,  Reta  Security  Inc. 


kids  to  think  of  this  as  a  resource,  not  just 
surveillance.  We  don’t  want  it  to  feel  like  a 
prison,  because  it  isn’t.” 

The  Security  You  Don’t  Notice 

IT’S  NO  ACCIDENT  that  the  school  doesn’t 
feel  like  a  prison.  Design  elements  that 
reduce  security’s  burdensome  presence- 
light,  open  space,  bright  colors,  an  unimpos¬ 
ing  profile— will  reduce  anxiety  and  create 
a  more  positive  atmosphere,  which  in  turn 
reduces  the  likelihood  of  someone  choos¬ 
ing  to  act  out.  This  idea  is  part  of  CPTED, 
criminal  prevention  through  environmen¬ 
tal  design.  CPTED  has  been  evolving  for 
more  than  30  years,  but  the  basic  idea  is 
constant— that  you  can  design  more  defen¬ 
sible  space  that  discourages  bad  behavior. 
It  is  equal  parts  design  and  psychology.  But 
CPTED  principles  do  not  dictate  the  high 
school’s  design;  they  inform  it. 

Our  student  arriving  in  the  parking  lot 
wouldn’t  notice  this  part  of  the  school’s 
security  throughout  her  day. 

From  the  parking  lot,  the  student  sees  a 
long  building,  but  a  CPTED  adherent  sees  a 
building  that  is  not  intimidating  or  institu¬ 
tional.  If  it  feels  like  a  prison,  students  will 
feel  like  prisoners  and  treat  the  building 
that  way. 

As  the  student  passes  the  stately  lamp- 
posts,  she  wouldn’t  notice  how  few  pro- 
tected-from-view  niches  exist.  She  wouldn’t 
notice  the  fact  that  there  are  no  bushes  or 
other  landscaping  along  the  perimeter  of 
the  building.  The  design  discourages  hid¬ 
ing  by  limiting  hiding  spaces. 

In  the  lobby,  while  she’s  looking  at  the 
flat  screens,  she  wouldn’t  notice  how  open 
the  space  is  or  the  fact  that  the  windows 
of  the  office  allow  a  full  view  of  the  entire 
lobby.  She  doesn’t  notice  that  the  second 
floor  corridor  opens  up  to  become  a  visible 
bridge  when  it  crosses  the  lobby.  You  can 
see  the  entire  lobby  from  up  there  and  vice 
versa.  Public  space. 

At  her  locker,  she  doesn’t  notice  that 
the  corridors  meet  at  hubs,  from  which 
one  teacher  can  see  the  entire  length  of 
the  building  and  down  one  of  three  wings. 
Because  of  this  design,  as  few  as  12  teachers, 
three  per  floor,  can  monitor  every  hallway 
in  the  building.  The  bathrooms  and  some 
benches  are  located  in  these  hubs,  where  a 
teacher  would  be  standing.  It’s  a  tacit  way 
to  encourage  the  student  and  her  friends  to 


Overt,  not  covert:  Highly  visible  monitors  help 
keep  an  eye  on  the  students  and  facility.  The 
location  in  the  main  office  helps  allay  concerns 
about  inappropriate  monitoring. 

gather  there,  close  to  the  teachers,  which  in 
turn  discourages  misbehavior.  “Teachers,” 
says  Mary,  “love  the  long  lines  of  sight,  the 
broad  hallways.” 

In  trig  class  she  doesn’t  notice  that  the 
door  to  the  classroom  has  a  large  window 
so  that  teachers  can  see  out  and  others  can 
see  in.  Transparency.  She  doesn’t  notice 
as  she  looks  outside  that  the  courtyard 
is  surrounded  by  classroom  windows.  It 
is  another  announcement  to  anyone  in 
that  space  there  that  it  is  public  space  and 
you  are  not  hidden  from  view.  That  same 
announcement  is  made  silently  in  the  caf¬ 
eteria,  where  the  faculty  lunchroom  sits 
above  the  cafeteria  with  windows  that  look 
down  on  all  the  students  eating  their  Tater 
Tots.  Lines  of  sight!  Everywhere,  it  seems, 
is  visible  from  somewhere  else  and  all  one 
has  to  do  is  go  to  an  old  school  to  under¬ 
stand  the  effect  of  this. 

Mary  has  tried  to  create  a  space  that 
allows  CPTED  concepts  to  exist  naturally, 
and  she  has  largely  succeeded.  “If  anyone 
tells  you  as  an  architect  that  they’ll  let  secu¬ 
rity  override  design,  they’re  not  telling  the 
truth,”  says  Mary.  “But  it  has  to  be  part  of 
the  process.  It’s  hard  not  to  think  of  Vir¬ 
ginia  Tech  or  Columbine.  You  have  kids 
of  your  own  and  you’re  designing  a  school, 
it’s  unavoidable.  But  you  can’t  let  it  dictate 
the  design.” 

The  First  Year 

FOUR  DAYS  AFTER  the  new  high  school 
opened,  there  was  a  brawl.  The  principal 
got  tangled  in  it.  It  was  caught  on  camera 
and  now  lawyers  are  involved.  Then,  across 
town  at  a  bus  stop,  someone  found  an 
unspecific  threat  against  the  school;  quietly, 
the  administration  intensified  its  daily  lock- 
down  procedures,  and  those  procedures 
remain  in  place.  Recently,  the  onsite  officer 
apprehended  a  person  who  was  loitering, 
someone  the  kids  might  call  a  “sketchy 
perv.”  The  security  seems  to  be  working. 

If  you  ask  Brad  or  Mary  or  others 
which  element  of  the  new  school’s  security 
has  proved  most  valuable,  which  has  per¬ 
formed  best  during  this  busy  first  year,  they 
would  tell  you  that  it  was  John. 


32  www.csoonline.com  November  2007 


Lessons 
Learned 
at  the 
Suburban 
High  School 


1.  Force  tough  discussions  about 
safety  and  security  up  front.  This 
prepared  the  stakeholders  for  questions 
and  challenges  to  their  security  decisions, 
and  prevented  political  wrangling,  discord 
between  police  and  fire,  and  friction  with 
parents. 


2.  Be  prepared  to  defend  deci¬ 
sions  with  people  who  have  a  lesser 
understanding  of  risk.  Parents  and,  to 
some  extent,  teachers,  understandably 
worry  about  spectacular  but  rare  risks  like 
school  shootings.  While  those  need  to  be 
addressed,  more  prosaic  risks  do  too,  and 
from  the  same  pool  of  money.  This  school’s 
group  of  stakeholders  prepared  itself  to 
explain  the  trade-offs  and  relative  likelihood 
of  certain  risks. 

3.  Do  not  think  of  security  as  a 
capital  investment  and  do  not  let  other 
stakeholders  think  that  way  either. 

High-res  cameras  are  great.  Smart  doors 
are  great.  But  these  devices  have  expected 
life  cycles.  In  schools,  for  example,  doors 
take  a  beating.  Make  sure  everyone  involved 


realizes  that  investing  in  cutting-edge 
security  will  mean  investing  in  maintenance 
dollars  later. 

4.  Hire  an  expert  in  school  security 
management,  pay  the  expert  well  and 
let  the  expert  create  a  thorough,  sound 
security  and  safety  policy.  Without  ques¬ 
tion,  the  stakeholders  at  this  school  say 
hiring  John,  the  facilities  manager,  was  its 
single  most  important  decision  contributing 
to  success.  John  not  only  had  experience 
with  computer-managed  facilities  security 
but  also  knew  that  creating  policies  for  its 
use  was  more  important  than  anything. 

5.  Practice  disaster  scenarios.  There’s 
no  such  thing  as  eliminating  risk,  so  the 
school  practices  lockdown  procedures  just 
like  fire  drills. 


November  2007  www.csoonline.com  33 


COVER  STORY  I  PHYSICAL  SECURITY 


“Really,  without  John,  all  of  this  great 
security  would  go  to  waste,”  says  Brad,  the 
district  facilities  manager.  John  was  hired 
because  of  his  experience  with  computer- 
based  facilities  control  at  a  high-profile  col¬ 
lege  in  the  area.  He  knows  his  stuff. 

But  more  than  just  technical  savvy,  he 
knows  that  policy  is  more  important  than 
gadgets.  He  knows,  for  example,  the  laws 
around  surveillance  in  public  places.  He 
knows  what  procedure  to  follow  if  a  par¬ 
ent  demands  to  see  some  video  because  of 
something  that  she  claims  a  teacher  did  to 
her  son— a  scenario  that  hasn’t  played  out 
yet  but  John  has  no  doubt  eventually  will. 

“You  don’t  have  someone  like  John  in 


many  places;  he’s  not  your  everyday  guy,” 
says  Mary.  “In  a  lot  of  new  schools,  you 
have  great  design  specs  for  security,  lots  of 
toys,  no  one  who  can  manage  them  and  it 
becomes  useless.  It  just  sits  there  unused.” 

Mary  thinks  this  might  be  because 
school  districts  hesitate  to  invest  the  money 
it  requires  to  have  someone  skilled  with 
this  kind  of  infrastructure.  “I  think  some 
schools  think  they  can  just  promote  a  cus¬ 
todian  and  teach  them  this  stuff,  but  this  is 
advanced  computing.” 

John  has  spent  the  first  year  learning. 
He  says  that  event  logging  is  great,  but  it 
can  become  a  burden.  The  smart  doors, 
for  example,  logged  8,553  pages  of  events 


in  the  building’s  first  year  of  operations. 
He’s  been  sorting  out  what  policy  to  put 
around  this,  how  long  and  where  to  keep 
this  data.  He  also  wants  to  ingrain  standard 
operating  procedures  on  staff.  Too  often,  he 
says,  someone  with  clearance  to  manipu¬ 
late  a  camera  will  do  so  and  forget  to  reset 
it.  Thus  the  student  whose  cell  phone 
was  stolen  was  out  of  luck  because  the 
camera  was  pointed  the  wrong  way,  as  it 
was  when  another  student’s  bike  was  sto¬ 
len.  “We’ll  get  it  worked  out,”  says  John. 
“It’s  still  new.” 

Brad,  meanwhile,  has  no  complaints, 
but  he’s  thinking  big  picture.  “I  made  sure 
up  front  that  they  all  knew  that  these  doors 
are  great  but  that  doors  have  a  life  expec¬ 
tancy.  I’m  going  to  need  money  down  the 
line  to  maintain  them.”  Other  people,  Brad 
says,  see  a  door  that  can  do  lots  of  things. 
He  sees  a  door  that  has  lots  of  parts  that  can 
fail.  “I  see  $1,200  repair  jobs.  So  you  worry 
that  they  get  the  technology  but  then  don’t 
give  you  the  money  to  maintain  it.” 

He  points  to  the  dark  slate  bricks  that 
run  halfway  up  the  corridor  walls.  “For 
Mary,  this  is  a  design  element.  For  me,  it’s 
anti-graffiti.  I  wanted  these  bricks  all  the 
way  to  the  ceiling.  Mary  said  that  would 
make  the  space  dark  and  institutional.  She’s 
probably  right.  I  compromised  on  that  one. 
I  won  some;  I  lost  some.” 

Brad  also  thinks  about  teacher  turnover. 
“Sometimes  we  forget  when  new  teachers 
come  in  that  maybe  they  don’t  understand 
all  of  the  security  elements.  We  need  to  for¬ 
malize  and  standardize  training.” 

Still,  these  are  relatively  minor  issues. 
Both  Brad  and  John  acknowledge  that, 
from  a  security  perspective,  they’re  quite 
fortunate.  “I’m  amazed  all  new  schools 
don’t  do  this,”  says  John.  “We’re  at  the  cut¬ 
ting  edge  a  little  bit.  We  could  have  done 
more,  but  this  does  the  job.” 

In  fact,  one  could  argue  the  amount  of 
security  here  is  overkill.  Even  Mary,  the 
architect  of  this  suburban  New  England 
school,  says,  “That  school’s  security  is 
probably  more  than  it  needs  to  be,  but  when 
you  spend  that  much  on  a  new  school,  par¬ 
ents  expect  it.  They  demand  it.” 

It’s  good  for  the  campus’s  curb 
appeal.  ■ 


Send  feedback  to  Executive  Editor  Scott  Beri- 
nato  at  sberinato@cxo.com. 


Four  Low-Cost*  High- 
Yield  School  Security 
Techniques 

Parents  want  you  to  buy  a  lot  of  cameras.  These 
techniques  provide  equal  or  better  results  in 
mitigating  risks  while  costing  next  to  nothing. 

Colored  lanyards.  All  faculty,  staff  and  visitors  should  wear  badges  attached  to  colored 
lanyards  (preferably  with  breakaway  clasps),  and  the  colors  should  correspond  to  their 
role  (e.g.,  red  for  faculty,  blue  for  visitor).  It’s  a  simple  way  to  identify  people  from  a  dis¬ 
tance  and  also  spot  suspicious  people  roaming  without  a  lanyard. 

“Hi.  How  can  I  help  you?”  Staff  and  even  students  should  be  trained  to  ask  strangers 
this  question.  Note  the  wording  of  the  question.  “Can  I  help  you?”  will  not  work  because 
it  gives  the  person  the  opportunity  to  say  “No.”  “Hi"  is  polite  and  disarms  the  person.  The 
word  “how”  forces  the  person  to  state  a  purpose.  An  inability  to  answer  this  question  eas¬ 
ily  is  a  tip-off  that  the  person  could  be  up  to  no  good. 

Operating  profile  map.  A  simple  way  to  understand  what  needs  to  be  done  from 
a  security  and  access  control  perspective  is  to  map  out  your  facility’s  operating  profile. 
Draw  a  time  line  that  starts  at  12  a.m.  and  ends  at  12  a.m.-24  hours.  Then  draw  three  lines 
underneath,  one  that  stretches  across  the  “operating  day”  when  the  highest  concentra¬ 
tion  of  assets  (students)  are  present.  The  second  line  is  for  facilities,  and  stretches  for  as 
long  as  some  access  to  the  building  is  needed,  regardless  of  whether  school  is  in  session. 
The  third  line  is  for  dark  hours,  when  zero  access  to  the  school  is  required.  These  maps 
can  be  made  for  general  operating  times  and  also  for  weekends  or  special  events  and  can 
help  stakeholders  understand  what  policies  are  in  place  when. 

Crisis  card.  A  single  laminated  card  with  major  risks  and  proper  responses  can  be 
made  to  stick  under  the  phones  of  staff.  Risks  are  listed  in  three  categories  and  are  color 
coded:  green  for  environmental  risks  (e.g.,  weather),  blue  for  medical  risks  (e.g.,  seizure) 
and  red  for  security  risks  (e.g.,  bomb  threat).  Under  each  of  these  categories,  the  specific 
risks  are  listed  in  order  of  most  likely  to  occur  to  least  likely. 

Source:  Paul  Timm,  Reta  Security  Inc. 


34  www.csoonline.com  November  2007 


Art  Credit 


what  makes  you  special?™ 


what  do  you  see?  what  does  your  business  see? 


IBM.  the  IBM  logo,  and  What  Makes  You  Special?  ate  registered  trademarks  or  trademarks  ot  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Other  company,  product  aod  service 
names  may  be  trademarks  or  service  marks  ol  others.  ©  IBM  Corporation  200?  All  rights  reserved 


When  business  and  IT  are  in  sync,  so  is  security.  A  comprehensive  governance  strategy  can 
give  you  greater  visibility  into  your  operations,  allowing  you  to  leverage  IT  against  your  broader 
business  goals.  Protect  your  most  valuable  data  with  end-to-end  security  solutions  designed 
to  simplify  risk  assessment  and  compliance  reporting.  And  give  your  IT  managers  and  business 
executives  the  tools  they  need  to  manage  everything  from  security  breaches  to  natural  disasters. 


Explore  the  full  range  of  IBM  governance  and  security  solutions  at  ibm.com/cio/risk 


The  churn  and  froth  in 
the  infosec  industry 
never  ends,  as  vendors 
consolidate,  spin  off  and 
reposition.  ButareCSOs 
getting  better  security  as 
a  result? 


By  Lawrence  M.  Walsh 


INFORMATION  SECURITY 


ERHAPS  IT’S  APT  that  Symantec  chose  “Ham¬ 
let”  as  the  code  name  for  its  Endpoint  Protection 
Version  11.  After  all,  the  infamous,  indecisive  prince  of 
Shakespeare’s  tragic  tale  suffered  from  longing  ambition 
and  a  failure  to  vanquish  his  enemies  to  achieve  his  ulti¬ 
mate  aims.  The  same  might  be  said  not  just  of  Symantec,  but 
of  the  entire  security  industry  as  it  tries  to  sort  out  its  ultimate 


composition.  Consolidation  versus  stand¬ 
alone  companies.  Best-of-breed  point 
products  versus  holistic  suites  of  security 
technologies.  Security  specialists  versus 
one-stop  shops  for  all  IT  needs. 

Symantec  is  just  one  example  of  the 
Hamlet  dilemma.  Since  its  2004  merger 
with  Veritas,  critics  have  charged  that  the 
world’s  largest  security  company  has  lost 
its  focus  as  it  has  broadened  its  horizons 
into  storage  management  software.  Long¬ 
time  customers  and  partners  have  com¬ 
plained  bitterly  about  the  decline  in  quality 
in  Symantec’s  security  technology  and  sup¬ 
port.  Earlier  this  year,  Symantec’s  resellers 
were  in  near  revolt  over  the  bloated  Syman¬ 
tec  AntiVirus  Corporate  Edition  10,  calling 
it  an  ineffective,  unmanageable  “resource 
hog.”  Hamlet  is  designed  to  restore  confi¬ 
dence  in  Symantec’s  security  products. 

“We’re  trying  to  be  more  cognizant  of 
users  and  their  resources,”  says  George 
Myers,  a  Symantec  director  of  product 
management  on  the  Hamlet  project.  “None 
of  these  technologies  is  a  silver  bullet,  which 
is  why  you  need  layered  technologies.” 

Symantec  Endpoint  Protection  com¬ 
bines  the  power  of  multiple  security  tech¬ 
nologies— software  firewall,  antivirus  and 
malware  protection  and  intrusion  pre¬ 
vention— in  a  package  with  a  significantly 
smaller  footprint  that  its  predecessor.  It 


reportedly  will  have  a  21MB  footprint  as 
opposed  to  the  nearly  100MB  of  space 
required  for  Version  10. 

Symantec  hopes  its  new  release  will  help 
squelch  its  critics.  Some  customers  and— no 
surprise— competitors  blamed  Symantec’s 
security  product  woes  on  a  lack  of  focus. 
Since  the  2004  merger  with  Veritas,  Syman¬ 
tec  has  spent  most  of  its  energy  on  the  stor¬ 
age  market  and  lost  its  way  on  security, 
critics  charge.  While  Symantec  made  key 
strategic  acquisitions  to  bolster  its  security 


offerings— such  as  the  purchase  of  Sygate 
for  its  endpoint  security  and  Altiris  for 
configuration  management— it  completely 
abandoned  the  security  hardware  market 
and  the  rapidly  growing  unified  threat 
management  appliance  market.  Meanwhile, 
the  onetime  world’s  largest  freestanding 
security  company  is  now  drawing  most  of 
its  revenue  from  storage  and  data  manage¬ 
ment  software  sales,  particularly  through 
the  sale  of  products  it  inherited  from  Veri¬ 
tas.  According  to  the  2007  Symantec  annual 
report,  gross  revenue  soared  more  than  $1 
billion  and  profits  jumped  by  nearly  $350 
million,  buoyed  primarily  on  the  full  inclu¬ 
sion  of  Veritas  revenue. 

By  comparison,  Symantec’s  profits  were 
$156  million  in  2006,  and  its  net  earnings 
and  profitability  per  share  were  slightly 
lower  than  comparably  smaller  CA  (for¬ 
merly  Computer  Associates).  Dollars  and 


Photo  by  Getty 


November  2007  www.csoonline.com  37 


INFORMATION  SECURITY 


cents  are  only  one  measure  of  success;  the 
decline  in  security  product  quality  has  led 
some  to  question  Symantec’s  acquisition 
of  Veritas,  wondering  if  it  was  a  mistake  to 
drift  away  from  the  company’s  traditional 
security  core.  It’s  criticism  that  Symantec 
CEO  John  Thompson  shrugs  off. 

“People  certainly  have  an  opinion  about 
what  we  should  or  shouldn’t  do,  but  we’re 
focused  on  helping  customers  better  man¬ 
age  and  protect  their  information,”  says 
Thompson. 

With  antivirus  commoditized  and  on  the 
verge  of  becoming  valueless  with  the  entry 
of  Microsoft  into  the  market,  the  major 
security  vendors— Symantec,  McAfee, 
Trend  Micro  and  Check  Point  Software 
Technologies— are  moving  at  warp  speed 
to  position  themselves  for  the  next  evolu¬ 
tion  in  risk  management:  data  leakage.  At 
the  same  time,  noncore  security  vendors— 
such  as  Cisco  Systems,  IBM  and  EMC— are 
moving  deeper  into  the  security  markets 
through  organic  development  and  strate¬ 
gic  acquisitions.  Never  mind  the  hundreds 
of  small  security  vendors  that  are  peddling 
their  wares  in  hopes  of  building  the  next  big 
powerhouse  (or  achieving  enough  critical 
mass  to  warrant  acquisition). 

“Why  should  I,  as  a  user,  have  to  pick 
apart  each  part  of  the  security  problem?” 
says  Lloyd  Hession,  CSO  at  BT  Radianz,  a 
provider  of  application  services  to  financial 
institutions.  “The  ‘Yellow  Box’  approach  is 
more  about  putting  products  in  the  same 
color  box  than  true  integration.” 

But  has  the  information  security  market 
matured  to  the  point  where  the  consum¬ 
ers— enterprises  to  end  users— are  ready  for 
holistic  technology  suites  delivered  by  one 
vendor?  Or  do  best-of-breed  security  infra¬ 
structures  still  trump  the  one-stop  shops? 
Should  vendors  have  a  singular  focus  on 
security,  or  will  customers  accept  a  ven¬ 
dor  with  diverse  product  lines  that  include 
security?  Most  important,  are  security  ven¬ 
dors  bringing  valuable  technologies  that 
improve  security  and  add  simplicity,  or  are 
they  pushing  increased  complexity  without 
improving  security? 

Putting  Security  in  Focus 

“WE  ARE  FOCUSED  on  nothing  but  secu¬ 
rity”  is  a  common  refrain  in  the  halls  of  the 
large  security  vendors.  Those  companies 
that  have  achieved  the  mass  to  make  them 


among  the  largest  technology  companies 
have  faced  the  same  choices  as  Symantec: 
diversify  or  face  stagnation  in  an  ever- 
competitive  marketplace.  Companies  such 
as  Trend  Micro,  Check  Point  and  McAfee 
are  resolved  to  remain  focused  on  security 
and  avoid  the  distractions  of  acquiring  non¬ 
security  products. 

McAfee  knows  the  pitfalls  of  a  diversi¬ 
fied  product  line.  Network  Associates— the 
precursor  to  today’s  McAfee— was  formed 
in  1997  when  network  monitoring  tools 
vendor  Network  General  merged  with  up- 
and-coming  antivirus  vendor  McAfee  in 
a  $1.3  billion  deal.  The  new  company— the 
largest  security  and  network  management 
company  and  the  loth-largest  software 
company  in  the  world  at  the  time— started 
to  spread  its  wings  with  complementary 
network  management,  traffic  monitoring 
and  security  products.  The  idea  was  creat¬ 
ing  a  one-stop  shop  for  security  and  net¬ 
work  management  tools.  “I  think  they’re 
really  poised  to  be  the  premier  security 
company,”  an  Infonetics  Research  analyst 
said  at  the  time. 

The  merger  failed  because  none  of  the 
products  was  properly  integrated  into  a 
holistic  offering  and  none  of  the  offerings 
was  best  in  class. 

While  others  have  flirted  with  the  con¬ 
cept  of  a  one-stop  shop,  no  one  has  brought 
all  the  complementary  security  technolo¬ 
gies  that  provide  perimeter  and  client-level 
security  under  “one  pane  of  glass.”  Staying 
focused  on  nothing  but  security  gives  them 
an  advantage,  the  executives  of  these  firms 
argue. 

“When  you  get  in  the  elevator  and  you 
push  the  button  up  to  security  and  the 
button  down  to  storage,  it’s  two  different 
selling  propositions,  and  that’s  why  they 
[Symantec]  are  having  such  a  hard  time,” 
said  McAfee  President,  CEO  and  Director 
David  DeWalt,  in  an  interview  less  than  90 
days  after  assuming  his  new  post.  “There’s 
no  need  to  diversify.  There  is  so  much  room 
for  consolidation  that  we  don’t  need  to  move 
beyond  security.” 

Echoes  of  DeWalt’s  defiance  are  heard 
up  and  down  Silicon  Valley.  Check  Point 
CEO  Gil  Schwed  has  dismissed  the  idea 
of  the  firewall  software  company  taking 
on  networking  or  nonsecurity  products. 
Trend  Micro  CEO  and  Director  Eva  Chen 
believes  remaining  focused  on  security 


gives  her  antivirus  company  an  advantage 
as  it  migrates  to  reputational  analysis  of 
malicious  websites.  And  CEO  Gene  Hodges 
aims  to  keep  Websense  and  its  emerging 
array  of  capabilities  targeted  as  an  antivi¬ 
rus  alternative. 

But  domain  expertise  may  not  be  enough. 
DeWalt  comes  from  a  world  of  diversified 
product  lines  and  go-to-market  strategies. 
While  Symantec  isn’t  keeping  him  awake  at 
night,  the  continued  penetration  of  broad¬ 
line  IT  vendors  has  him  counting  sheep. 
Cisco  Systems  is  pushing  out  on  multiple 
fronts  from  telepresence  and  unified  com¬ 
munications  to  security.  EMC’s  acquisition 
of  RSA  Security  filled  a  significant  gap  in 
its  information  lifecycle  and  storage-man¬ 
agement  story.  IBM  snapped  up  Internet 
Security  Services  earlier  this  year  to  bolster 
its  service  offerings.  Oracle  continues  to 
develop  an  identity  management  platform 
through  a  series  of  small  acquisitions.  And 
Google  surprised  many  with  its  acquisitions 
of  GreenBorder  (Web  browser  security)  and 
Postini  (e-mail  security). 

Microsoft  has  been  threatening  entry 
into  the  security  market  since  it  launched 
its  trustworthy  computing  initiative  in 
2002.  Few  traditional  security  companies 
believe  that  the  Windows  maker  poses  a 
threat  to  their  antivirus  or  perimeter  secu¬ 
rity  business.  Nevertheless,  Microsoft  sees 
opportunity.  “We  want  to  be  a  player  in  the 
security  market,  mostly  because  our  cus¬ 
tomers  want  us  there,”  says  Kevin  Turner, 
Microsoft’s  chief  operating  officer. 

The  challenge  for  the  pure-plays,  says 
Hodges,  is  maintaining  pace  and  market 
viability  against  competitors  that  are  larger 
with  deeper  pockets  for  wheeling  and  deal¬ 
ing  in  head-to-head  competitions.  “The  job 
for  us  smaller  guys  is  to  drive  the  technol¬ 
ogy,”  he  says.  “If  you  are  a  pure-play,  you 
don’t  have  much  choice  other  than  to  just 
sell  yourself.” 

The  Quest  for  Simplicity 

CARY  WESTMARK,  the  vice  president  of 
IT  at  Troon  Golf,  is  still  repeating  himself 
when  meeting  with  security  vendors,  large 
and  small.  “We’re  managing  golf  courses, 
not  NASA,  and  we  don’t  need  and  can’t 
afford  NASA  security.”  Managing  185  high- 
end  golf  courses  in  32  states  and  28  coun¬ 
tries,  Troon  Golf  is  singularly  focused  on 
attracting  golfers  to  the  greens  and  keeping 


38  www.csoonline.com  November  2007 


them  there  with  luxury  accommodations 
and  services.  Its  IT  systems  are  built  around 
that  purpose;  security  is  simply  a  piece  of 
what  it  takes  to  connect  1,300  workstations, 
users  and  branch  locations  for  smooth, 
uninterrupted  operations. 

What’s  frustrating  to  Westmark  and 
many  IT  and  security  managers  is  that 
vendors  aren’t  looking  at  their  true  busi¬ 
ness  and  operations  needs.  Rather,  they’re 
manufacturing  total  cost  of  ownership  and 
return  on  security  investment  models  that 
justify  the  acquisitions  of  their  products. 

For  instance,  at  the  recent  Infosecu- 
rity  New  York  conference,  a  vendor  of  IP- 
enabled  surveillance  videocameras  claimed 
that  it  could  correlate  a  person’s  image  with 
a  smart  card  ID  that  activated  a  turnstile,  a 
door  lock  and,  ultimately,  a  workstation’s 
network  credentials— all  in  real  time.  When 
asked  how  it  handles  bandwidth  issues, 


80/20  rule  in  security  products— only  20 
percent  of  the  security  products  are  really 
useful,”  says  BT  Radianz’s  Hession. 

Consolidation  is  a  persistent  reality  in 
the  security  space.  Many  security  entrepre¬ 
neurs  start  out  with  a  simple  business  plan: 
build  product,  achieve  relative  critical  mass 
and  sell  to  Cisco,  Microsoft  or  Symantec  at 
a  10-time  revenue  multiple.  Mergers  and 
acquisitions  are  often  the  means  by  which 
larger  technology  companies  obtain  the 
innovations  of  free-thinking  entrepreneurs. 
Many  of  Microsoft’s  security  offerings  are 
the  result  of  acquisitions,  and  Symantec, 
McAfee  and  CA  are  the  amalgamation  of 
dozens  of  acquisitions.  Large  vendors  con¬ 
tinue  to  snap  up  smaller  rivals  for  their 
technologies.  Whether  those  technologies 
ever  make  it  into  broader  distribution  is  an 
entirely  different  issue. 

“I’d  like  to  see  more  innovations  with 


that  leads  them  to  make  bad  acquisitions. 
When  you  get  to  the  size  of  Symantec  and 
McAfee,  it’s  not  security  people  running 
these  companies,  and  they  don’t  talk  to 
their  customer  often  enough.” 

End  users,  however,  are  split  on 
whether  they  would  prefer  vendors  who 
are  solely  focused  on  security,  or  the  con¬ 
glomeration  of  technologies  under  one  ven¬ 
dor  umbrella. 

“It  would  be  nice  to  have  only  one  ven¬ 
dor  to  call,”  says  Rob  Israel,  VP  and  CIO  of 
John  C.  Lincoln  Health  Network  in  Phoe¬ 
nix.  “It  would  make  life  a  lot  easier.”  “The 
world  is  going  to  change,  and  I  don’t  want 
to  be  in  three  or  four  different  systems  and 
then  have  to  pay  someone  to  come  pull  it 
together  and  tell  me  what  I  need  to  know,” 
echoes  David  Jordan,  CISO  of  Arlington 
County,  Va. 

Although  consolidation  may  have  the 


What’s  frustrating  to  many  IT  and  security  managers 
is  that  vendors  aren’t  looking  at  their  true  business  and 
operations  needs....  They’re  manufacturing  total  cost  of 
ownership  and  return  on  security  investment  models 
THAT  JUSTIFY  THE  ACQUISITIONS  of  their  products. 


the  vendor  responded:  “Bandwidth  isn’t  an 
issue  because  we  run  our  own  lines.”  When 
asked  how  it  manages  all  the  stored  video 
and  access  log  data  for  auditing,  the  vendor 
responded,  “Storage  really  isn’t  an  issue. 
Disk  space  is  so  cheap  that  you  can  just  buy 
more  disks.” 

Walk  any  trade  show  floor  or  exhibit 
hall  and  you’ll  find  a  product  to  meet  any 
conceivable  security  risk  or  threat.  Beyond 
the  commoditized  network  security  sys¬ 
tems  (firewalls,  NIDS,  VPNs)  and  client 
security  suites  (endpoint  security,  antivirus 
and  malware  protection)  there  are  a  multi¬ 
tude  of  offerings  that  address  application 
security,  database  encryption,  USB  token 
locks,  policy  management,  auditing  and 
forensics  tools,  identity  management  and 
more.  While  each  product  has  a  viable  use 
in  specific  instances,  security  executives 
say  that  few  have  broad-based  applicabil¬ 
ity.  Nevertheless,  security  vendors  will 
hard-sell  their  products  to  meet  their  sales 
quotas  and  revenue  objectives.  “There’s  an 


new  technologies  and  approaches,”  says 
Roger  Fye,  vice  president  of  IT  at  Dial 
Global,  a  subsidiary  of  Excelsior  Radio  Net¬ 
works  and  the  largest  independent  radio 
network  in  the  country.  “What  we’ve  seen 
over  a  period  of  time  is  the  big  guys  sitting 
on  their  thumbs,  and  now  they’re  trying  to 
reposition  themselves.” 

Evolution  of  security  technology  and 
products  is  an  absolute  necessity,  says 
Richard  Stiennon,  chief  marketing  officer 
of  unified  threat  management  device  pro¬ 
vider  Fortinet.  His  company  is  constantly 
looking  for  ideas  on  consolidating  function¬ 
ality.  Security  is  tasked  with  responding  to 
new  trends  and  threats,  making  it  far  more 
dynamic  than  other  IT  sectors.  The  market, 
he  says,  isn’t  mature,  and  that’s  reflected  in 
the  fragmentation  of  technologies  offered 
by  security  vendors  and  choices  large  ven¬ 
dors  make  in  their  acquisitions. 

“It’s  a  bunch  of  individuals  making  bad 
decisions,”  says  Stiennon.  “I  think  it’s  a  lack 
of  understanding  of  their  own  industries 


mythical  appeal  of  producing  simplicity, 
skeptics  say  the  major  security  vendors  still 
haven’t  done  a  good  enough  job  in  integrat¬ 
ing  the  products  they  already  have  and  per¬ 
sist  in  pushing  new  products  that  bolster 
their  revenues  without  adding  true  value 
to  security  infrastructures.  Many  security 
managers  say  they  can  achieve  higher  levels 
of  security  with  low-cost,  high-impact  secu¬ 
rity  policy  and  process  management. 

“The  industry  is  too  complex,  too 
dynamic  for  anyone  to  build  an  effective 
suite  and  create  one-stop  shopping,”  says 
Scott  Mackelprang,  vice  president  of  secu¬ 
rity  and  compliance  at  Digital  Insight,  an 
ASP  for  midsize  banks  and  subsidiary  of 
Intuit.  “If  you  think  you’re  going  to  buy 
into  a  suite,  it  won’t  be  the  answer  to  your 
problems.”  ■ 


Lawrence  M.  Walsh  is  a  freelance  writer  based  in 
New  York  and  the  former  editor  o/Information 
Security  and  VARBusiness  magazines.  Con¬ 
tact  him  at  lmwalsh@twentyonetwelve.biz. 


November  2007  www.csoonline.com  39 


DISASTER  PREPAREDNESS 


Connecting 
the  Dots 


sk  Tom  Ridge,  the  two -term  gov¬ 
ernor  of  Pennsylvania  and  first 
U.S.  secretary  of  homeland  secu¬ 
rity,  about  preparing  for  disaster 
and  his  answer  won’t  surprise 
you:  Collaboration  is  paramount,  whether  it  be 
between  public  and  private  sectors,  CEO  and 
CSO  or  IT  and  security. 

Ridge  recently  launched  Ridge  Global,  an  advisory  firm 
based  in  Washington,  D.C.,  with  practice  areas  such  as 
technology  innovation  and  integration,  global 
trade  security,  risk  assessment  and  contin¬ 
gency  planning,  and  crisis  management 
and  communications.  Ridge  spoke  to  CSO 
Associate  Staff  Writer  Katherine  Walsh 
about  his  challenges  at  the  Department 
of  Homeland  Security,  the  importance 
of  disaster  preparedness  and  how  to 
battle  complacency. 

CSO:  One  frustration  with  security 
has  to  do  with  complacency.  Why 
do  you  think  that  is,  and  how  does 
our  current  level  of  preparedness  as  a 
nation  compare  to  pre-9/11? 

Tom  Ridge:  Complacency  is  what  keeps  me 
awake  at  night.  It’s  predictable  in  human  terms,  but 
unacceptable  as  well.  It’s  predictable  in  the  sense  that  it’s 
been  six  years.  And  in  spite  of  global  communication,  when  we 
see  risk  and  tragedy  and  disasters  and  terrorist  attacks,  we  just 
don’t  seem  to  have  that  same  sense  of  urgency  that  we  did  in  the 
first  couple  years  after  9/11.  The  professionals  have  it:  the  police, 
firemen,  emergency  service  personnel  and  the  military.  But  in 
the  corporate  world— and  even  to  a  certain  extent,  the  political 
world— there  isn’t  quite  that  same  sense  of  urgency. 

One  of  your  themes  is  the  importance  of  collaboration. 
Why  is  that  so  necessary  to  disaster  preparedness  at  an 
organization? 


To  give  an  example  from  the  public  sector,  homeland  secu¬ 
rity  is  much  bigger  and  more  important  than  one  cabinet  agency, 
although  the  agency  does  have  to  be  the  catalyst  for  change,  the 
catalyst  for  communication  and  the  catalyst  for  collaboration. 
But  at  the  end  of  the  day,  the  country  cannot  maximize  its  ability 
to  protect  itself  or  maximize  its  ability  to  become  as  secure  as 
possible  without  involving  all  levels  of  government,  as  well  as 
the  private  sector.  Homeland  security  goes  far  beyond  distribut¬ 
ing  billions  of  dollars  to  state  and  local  governments  to  build 
infrastructure.  It’s  actually  building  a  network  of,  and  building 
and  sustaining  relationships  with,  the  private  sector.  Frankly 
if  [the  federal  government]  had  built  a  better  mechanism 
for  disaster  recovery  and  allowed  the  private  sector 
to  assist,  Hurricane  Katrina  wouldn’t  have 
been  such  a  mess.  But  right  now  it’s  very 
difficult  for  the  private  sector  to  contribute 
to  and  collaborate  with  the  government. 
As  such,  we  are  missing  enormous 
opportunities  to  make  ourselves  safer. 
So  that’s  why  at  the  end  of  the  day 
collaboration  is  critically  important. 
The  federal  government,  as  big  as  it  is, 
needs  to  work  with  the  private  sector. 
We  can’t  secure  the  country  from  inside 
Washington,  D.C. 

What  are  some  specific  ideas  for  how  the 
government  should  work  with  the  private 
sector? 

I  firmly  believe  that  as  the  country  responds  to  HSPD 
7  (related  to  critical  infrastructure)  we  should  look  to  the  private 
sector  for  best  practices  and  to  help  us  build  residual  capacity  to 
respond  to  disaster.  We  should  look  to  them  to  get  more  loaned 
executives  in  the  government  to  deal  not  only  with  security  and 
safety  but  to  make  the  government  more  efficient  and  effective. 
That  will  take  a  major  upheaval,  but  I  strongly  believe  in  it. 
We’ve  got  the  talent  and  interest  and  commitment  in  the  private 
sector,  but  because  of  some  of  the  rules  here  in  Washington,  we 
can’t  tap  into  them  as  aggressively  as  we  would  like.  When  I  was 
casting  a  net  to  pull  in  some  members  of  the  Homeland  Security 
Advisory  Council,  I  had  some  friends  of  mine  reject  my  solicita- 


Former  DHS  leader 
Tom  Ridge  talks 
about  the  practicals 
of  communication 
and  collaboration 


40  www.csoonline.com  November  2007 


tion  because  they  had  to  fill  out  massive  documents  disclosing 
everything  they’d  ever  done  throughout  their  whole  life.  Keep  in 
mind,  this  is  an  advisory  council:  It’s  not  as  if  they’d  have  access 
to  any  top  secret  intelligence;  it’s  not  as  if  they  know  anything  in 
great  detail  about  operations.  I  wanted  smart  people  thinking 
differently  about  different  things.  There  are  so  many  things  the 
private  sector  could  help  us  do  more  effectively  here  in  the  U.S., 
but  we’d  have  to  change  some  ethics  rules  in  Washington. 

Along  those  same  lines, 
what  was  it  like  to  head 
up  a  new  agency?  How 
did  you  bring  order  and 
foster  collaboration 
among  other  govern¬ 
ment  agencies  when  you 
became  secretary  of 
DHS? 

Well,  the  management 
team  that  we  assem¬ 
bled— many  of  whom  were 
volunteers  coming  out  of 
the  private  sector— were 
top-notch  subject  matter 
experts  who  were  com¬ 
mitted  to  making  their 
country  safer  and  building 
a  strong  foundation  within 
the  department.  There 
was  a  sense  of  mission 
that  made  it  a  little  easier 
[to  foster  collaboration] 
than  most  people  might 
think.  The  integration  of 
people  and  technology  will 
continue  to  take  years  to 
achieve,  but  if  you  have  a 
good  team  around  you  and 
confidence  in  their  ability 
to  address  anything  that  comes  down  the  path,  then  you  get  up 
in  the  morning  and  feel  good  about  what  you’re  doing. 

What  were  your  major  challenges  and  accomplishments 
at  DHS? 

The  biggest  challenge  that  continues  in  DHS  wasn’t  as  much 
on  the  security  side,  it  was  on  the  business  side.  I  like  to  tell  my 
friends  in  the  private  sector  that  DHS  was  really  a  big  holding 
company.  It  still  is.  Under  the  umbrella  of  the  holding  company 
there  were  mergers,  acquisitions,  divestitures,  startups  and 
other  things  that  couldn’t  be  anticipated.  Under  that  incredible 
litany  of  activity,  it  was  difficult  trying  to  rationalize  the  busi¬ 
ness  line  function  and  bring  economic  and  fiscal  rationality  to 
this  merger  of  units  of  government.  It’s  a  hurdle  that  continues 
today,  and  I  think  even  my  successor’s  successor  will  have 
similar  challenges.  Also,  from  the  policy  and  security  point  of 
view,  we  knew  there  were  a  lot  of  things  we  needed  to  do:  build 


in  multiple-layered  defense  and  security  measures  around  com¬ 
mercial  shipping  and  aviation  at  the  border.  We  needed  innova¬ 
tion;  we  needed  change. 

One  struggle  of  CIOs  and  CSOs  right  now  is  convincing 
upper  management  of  the  ROI  of  security:  It’s  the  chal¬ 
lenge  of  selling  security.  How  do  you  go  about  doing  that? 

I  have  a  lot  of  empathy  for  CIOs  and  the  CSOs  because  when 
they  would  like  to  beef  up  their  IT  systems  and  want  to  embed 

preparedness  and  recovery 
plans  into  their  networks, 
they  have  to  go  to  the 
CFO  and  CEO  and  say,  “I 
need  X  number  of  dollars 
to  do  this,”  and  the  first 
response  they’re  going  to 
get  is,  “What’s  the  risk? 
What’s  the  threat?  That’s 
a  big  expense,  where’s 
the  ROI?”  But  I  think  in  a 
more  globally  competitive 
marketplace,  a  more  inter¬ 
dependent  marketplace— a 
post-9/11,  Sarbanes-Oxley 
world— there  are  far 
greater  vulnerabilities  to 
a  commercial  enterprise 
today  than  ever  before.  It’s 
not  just  about  profitability, 
it’s  about  the  intangible 
asset— your  brand— that’s 
at  risk.  I  would  hope  CFOs 
and  CEOs  and  boards 
of  directors  would  pay  a 
little  more  attention  to  the 
risk  assessment  rendered 
by  security  officers  or 
information  officers  when 
parceling  out  annual 
budgets.  You  have  to  manage  the  risks,  and  there  are  certain  ones 
that  need  to  be  managed  regardless  of  ROI.  People  buy  insurance 
and  hope  they  never  have  to  use  it.  At  the  end  of  the  day,  that’s  an 
enormous  expense.  But  it’s  an  expense  that  we  use  to  safeguard 
[against]  the  possible  undermining  of  our  brand  or  profitability. 
There  are  all  kinds  of  pressures— quarterly  returns  and  market 
expectations— but  given  the  nature  of  the  competitive  world  and 
the  interdependency  of  the  marketplace,  9/11  and  Sarbox,  we  bet¬ 
ter  start  paying  a  little  more  attention  to  CIOs  and  CSOs. 

What  is  the  most  important  thing  these  executives  can  do 
in  their  organizations  in  terms  of  business  continuity  and 
disaster  recovery? 

There  are  occasions  in  which  the  CSO  or  CIO  can  make  a 
case  for  an  additional  security  investment  that  has  economic 
benefits.  Perhaps  it  makes  the  commercial  enterprise  more 
productive  or  more  efficient.  You  have  to  go  on  a  case-by-case 


Photo  by  Getty  Images 


November  2007  www.csoonline.com  41 


DISASTER  PREPAREDNESS 


basis.  The  best  way  to  convince  the  business  you  need  to  spend 
more  money  is  to  show  it  will  yield  a  security  benefit  and  a 
productivity  benefit.  But  you  can’t  ignore  the  reality  that  even 
if  you  can’t  show  a  strict  ROI,  these  are  expenses  that  buy  you 
some  extra  protection  in  a  world  of  greater  vulnerabilities.  And 
that  expense,  compared  to  the  cost  if  something  goes  wrong— if 
your  supply  chain  is  disrupted,  if  there  is  criminal  activity  or  a 
disaster  or  a  terrorist  strikes— is  minimal. 

Did  you  view  technology  as  central  to  preparedness  before 
9/11?  Or  did  that  event  change  your  view  of  the  intersec¬ 
tion  of  IT  and  security? 

I  can’t  think  of  a  company  that  doesn’t  use  technology  as 
its  backbone  for  operations.  So  just  like  anything  else,  the  first 
thing  you  do  is  protect  the  most  critical  thing  to  your  operations, 
and  that’s  IT.  But  the  business  enterprise  today  has  a  nervous 
system  in  IT  which  is  basically  the  sine  qua  non  of  the  entire 
operation.  Security  and  risk  assessment  of  IT  systems  includes 


of  people  on  9/11.  On  the  flip  side,  the  people  on  United  93  were 
able  to  communicate  with  others  and  learn  the  fate  of  the  other 
three  planes.  Armed  with  that  information  and  more  courage 
than  most  people  can  muster,  they  understood  their  fate  had 
been  sealed;  they  decided  this  was  one  commercial  airliner  that 
was  not  going  to  be  turned  into  a  missile.  So  there  was  good  and 
bad.  It  was  good  enough  to  inform  the  passengers  of  United 
93  but  not  good  enough  for  the  firemen  and  policemen  on  the 
ground  surrounding  the  twin  towers. 

Do  you  think  our  lack  of  progress  in  this  area  is  a  result  of 
complacency,  a  lack  of  funding  or  a  combination  of  both? 

I  think  funding  is  an  issue.  While  local  and  state  govern¬ 
ments  have  some  responsibility,  a  national  system  should  be 
built  by  the  federal  government.  We  spend  millions  annually 
on  communications,  so  there  is  plenty  of  opportunity  to  invest 
those  dollars  into  supporting  a  new  infrastructure.  Over  the  last 
few  years  we’ve  expended  billions  on  equipment  and  had  we 


‘Frankly  if  [the  federal  government]  had 
built  a  better  mechanism  for  disaster 
recovery  and  allowed  the  private  sector 
to  assist,  Hurricane  Katrina  WOULDN’T 
HAVE  BEEN  SUCH  A  MESS.” 


looking  for  points  of  access  in  the  event  of  disruption,  safe¬ 
guarding  proprietary  information  and  protecting  consumer  and 
customer  information— they  are  all  related.  I  don’t  pretend  to  be 
a  technology  expert,  but  I’ve  known  intuitively  and  instinctively 
that  whenever  you  have  an  opportunity  to  embed  technology 
with  well-trained  people  around  a  very  specific  mission,  you 
need  to  do  it.  You  can’t  operate  any  entity,  large  or  small,  this  day 
and  age  without  a  good  IT  system. 

How  did  technology  affect  the  events  on  9/11? 

On  9/11  we  learned  that  the  traditional  means  of  communica¬ 
tions  within  the  first  responder  community  was  inadequate.  We 
had  different  communication  systems  that  were  not  interoper¬ 
able.  One  of  my  great  frustrations  six  years  after  the  event  is 
that  there  has  been  much  discussion  about  interoperability  but 
very  little  has  been  done  about  it.  The  FCC  has  indicated  they 
are  prepared  to  dedicate  a  certain  spectrum  on  the  broadband 
for  a  nationwide  public  safety  network.  They  are  to  be  com¬ 
mended  for  their  vision  and  foresight....  I  just  wonder  where 
Congress  has  been  for  the  last  five  or  six  years.  One  can  imagine 
the  enormous  benefit  of  data,  voice  and  video  being  available  to 
the  first  responder  community,  not  just  in  the  event  of  a  terrorist 
attack,  but  so  many  other  occasions.  This  goes  back  to  the  sense 
of  complacency.  One  of  the  most  glaring  examples  has  been  the 
failure  to  build  a  national  system,  and  it’s  going  to  take  years 
to  get  it  to  where  it  needs  to  be.  Clearly,  technology  failed  a  lot 


had  a  commitment  to  a  broadband  infrastructure,  the  money 
would  have  been  more  effectively  used.  Once  the  FCC  gets  this 
through,  other  jurisdictions  will  know  where  their  dollars  need 
to  be  spent  in  order  to  be  compatible.  It  will  revolutionize  the 
intersection  of  public  safety  and  security. 

You  served  in  Vietnam.  How  can  you  apply  preparing  for 
disaster  in  a  war  to  your  work  today? 

There  are  certain  maxims  that  combat  soldiers  understand 
better  than  others.  You  need  to  train  and  exercise  in  a  certain 
way.  And  if  you  fail  to  plan,  train  and  exercise  against  certain 
potential  challenges,  and  they  appear,  you  are  probably  going 
to  fail.  Even  within  that  environment  you  can’t  prepare  for 
everything,  so  you  have  to  be  prepared  for  the  unpredictable. 
There  is  a  certain  element  of  surprise  associated  with  every  cri¬ 
sis  and  challenge  you  face.  But  most  people  in  the  military  will 
tell  you  that  you  reduce  losses  and  enhance  odds  for  success  by 
having  the  right  equipment,  training  and  the  right  people.  And 
it  applies  to  the  corporate  world  too.  Have  you  empowered  your 
CIO  or  CSO  to  look  critically  at  your  entire  infrastructure  and 
make  specific  requests?  Do  you  have  a  business  continuity  plan 
and  do  you  exercise  it?  Have  you  tried  it  out?  There  are  basic  les¬ 
sons  in  regard  to  planning  and  training  that  are  helpful  because 
sometimes  you  don’t  have  time  to  think,  you  just  have  time  to 
react.  But  if  you’ve  trained  a  certain  way  and  planned  a  certain 
way,  the  chances  are  pretty  good  you  will  react  the  right  way.  ■ 


42  www.csoonline.com  November  2007 


Photo  by  AP/Worldwide  Photos 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

0  CSO  Update 

A  weekly  look  at  what’s  happening  on  CSOonline.com. 

0  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

0  CSO  Career 

A  biweekly  newsletter  of  career  and  leadership-oriented 
news,  articles,  events  and  job  postings. 

0  CSO  Tech  Watch 

Monthly  update  on  technologies  for  protecting  networks, 
facilities,  employees,  intellectual  property  and  more. 

0  CSO  Security  Leader 

Leadership-related  articles  and  reports  from  CSO,  as  well 
as  tips  for  educating  employees  and  corporate  leadership. 

0  CSO  Continuity  &  Recovery 

Monthly  review  of  published  material  concerning  business 
continuity  and  disaster  recovery. 


Sign  up  now  for  CSO’s  complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


[  undercover] 

By  Anonymous 


Watching  the  Watchers 

Even  the  best  security  staff  is  not  above  making  costly  mistakes 


It  was  late  on  a  Friday  afternoon  and  I 
was  getting  ready  to  go  home  for  the 
weekend  when  the  telephone  rang. 
We  all  know  that  a  phone  call  late  on 
Friday  is  never  a  good  thing.  I  hesi¬ 
tated  for  a  moment  then  grudgingly  picked 
up  the  phone. 

“Mr.  Smith?”  the  voice  inquired. 

“Yes...” 

“My  name  is  John  Jones  and  I’m 
the  marketing  manager  for  MuchoLo- 
coSecurity  Inc.  [All  names  have  been 
changed  to  protect  the  innocent  and 
the  guilty.]  We  are  a  security  software 
development  company  on  the  East 
Coast.  I’m  sitting  here  with  our  chief 
legal  counsel  and  company  president. 
This  call  is  to  advise  you  that  one  of  your 
employees  has  illegally  downloaded  one 
of  our  software  applications  onto  your 
network  and  it  is  currently  installed  on 
8,441  workstations  and  106  servers.  The 
application  in  question  retails  for  $39.95 
per  copy  but  we’ve  decided  to  allow  you 
to  purchase  all  8,547  licenses  for  $12.00 
per  copy  for  a  total  of  $102,564.  How 
would  you  like  to  pay?” 

Gulp! 

After  establishing  that  this  was  legit¬ 
imate  and  not  an  elaborate  prank  call 
from  a  deranged  colleague,  I  told  the  mar¬ 
keting  manager  I’d  be  in  touch  early  the 
next  week.  The  weekend  wasn’t  shaping 
up  well.  I  called  my  boss  and  advised  him 
of  the  situation.  The  next  step  was  to  call 
my  lead  incident  response  guy  to  deter¬ 
mine  the  validity  of  the  company’s  accusa¬ 
tions.  We  have  a  fairly  formal  process  for 
approving  software  so  when  they  called 
back  15  minutes  later  and  said  the  software 
in  question  was  indeed  installed,  I  wasn’t 
surprised.  I  was,  however,  dismayed  to 


discover  that  the  suspected  culprit  was  one 
of  my  best  guys— someone  I  wouldn’t  have 
normally  have  suspected. 

My  next  call  was  to  legal.  Do  you  know 
how  hard  it  is  to  find  a  government  attor¬ 
ney  on  a  Friday  evening?  After  interrupting 
several  family  dinners,  I  found  an  attorney 
and  relayed  my  conversation  with  Mucho- 


LocoSecurity.  She  absently  said  that  we’d 
address  it  on  Monday  but  I  should  spend 
the  weekend  gathering  information.  OK, 
how  many  of  you  have  had  a  perfectly 
planned  weekend  ruined  by  a  Friday  after¬ 
noon  phone  call? 

Perhaps  some  of  you  have  already  fig¬ 
ured  it  out,  but  guess  who  was  responsible 
for  running  the  internal  auditing  tools  we 


used  for  detecting  unauthorized  software 
in  our  environment?  Yep. ..the  same  guy 
who  had  downloaded  the  hacked  license 
key  and  illegally  installed  the  software  in 
question.  Lest  you  think  that  I  had  a  black 
hat  on  my  staff,  that  was  not  the  case.  This 
was  one  of  my  best  and  most  loyal  secu¬ 
rity  engineers.  The  whole  incident  started 
innocently  and  legally  enough  with 
him  working  with  a  sales  engineer 
from  MuchoLocoSecurity  and  getting 
an  evaluation  copy  and  license  for  the 
software.  Things  got  very  confusing 
after  that.  My  guy  claimed  that  the  SE 
was  aware  of  everything  he  had  done, 
while  the  company  sales  guy  claimed 
something  completely  different.  The 
bottom  line  was  that  MuchoLocoSecu¬ 
rity  knew,  and  had  supporting  evidence, 
that  their  software  was  installed  on  a 
specific  date  using  an  illegal  license  key 
in  our  IT  environment. 

This  is  all  background  to  get  the 
juices  flowing  and  get  you  thinking.  I 
could  bore  (or  entertain)  you  with  how 
this  whole  incident  played  out  but  let 
me  just  say  that  it  was  painful  and 
professionally  damaging  to  more  than 
one  staffer,  and  when  it  was  finally 
resolved  a  couple  of  months  later,  my 
budget  was  magically  smaller  by  about 
$iooK.  While  this  might  hurt  in  a  pri¬ 
vate  sector  company,  in  a  government 
organization  like  mine,  it  ruined  the  year. 
While  many  of  you  have  already  started 
going  through  your  mental  checklist,  there 
are  probably  others  hyperventilating  at 
the  thought  that  this  could  happen  to 
you  too!  Since  this  article  is  intended  to 
enlighten  you,  my  CSO  colleagues,  here 
are  some  of  the  things  I  learned  from  this 
experience. 


44  www.csoonline.com  November  2007 


Illustration  by  Curtis  Parker/lmages.com 


Have  a  Policy 

You  must  have  a  security  policy  that  spe¬ 
cifically  addresses  the  use  of  noncompany 
issued  or  approved  software  and  that 
defines  roles  and  responsibilities  so  that 
everyone  understands  who  can  and  cannot 
download  software  and  for  what  reasons.  If 
your  security  staff  is  like  mine,  they  can  get 
creative  and  will  play  fast  and  loose  unless 
there  are  specific  policy  guidelines  for 
downloading  and  using  “productivity  soft¬ 
ware.”  Don’t  get  me  wrong.  I  love  the  fact 
that  my  gals  and  guys  are  always  looking  for 
ways  to  do  their  job  better.  The  problem  is, 
there  are  so  many  cool  tools  that  many  times 
they  think  there’s  no  harm  in  downloading 
and  installing  the  latest  version  of  an  appli¬ 
cation.  Unfortunately,  the  harm  may  not  be 
known  until  the  damage  has  already  been 
done.  I  know.  I’ve  done  it  and  had  my  hands 
slapped,  as  many  of  you  have! 

While  we  had  a  good  policy  regard¬ 
ing  the  use  of  legal  software,  it  was  a  little 
loose  on  the  use  of  illegal  software.  It’s 
critical  to  ensure  your  policy  is  unequivo¬ 
cal  in  identifying  what  types  of  licensed 
or  unlicensed  software  can  be  installed.  Is 
software  licensed  under  GPL,  LGPL  or  FSF 
approved?  What  about  Copyleft?  What 
does  all  this  mean?  Check  out  this  helpful 
background  at  http://en.wikipedia.org/wiki/ 
GPL.  And  read  all  licenses  thoroughly. 

A  good  policy  should  also  state  that  only 
software  that  has  been  approved  by  your 
governing  control  board  can  be  installed  in 
your  network  environment.  In  addition  to 
your  working  “software  tools,”  this  policy 
should  include  encryption,  PDA,  MP3  and 
peer-to-peer  software,  as  well  as  screen 
savers  and  browser  plug-ins.  Your  policy 
should  also  address  media  and  external 
devices  that  are  personally  owned.  Not  only 
are  these  a  huge  source  of  malware  but  they 
can  compromise  the  integrity  of  your  soft¬ 
ware  environment,  and  the  last  thing  you 
want  is  an  unexpected  knock  on  the  door  by 
the  Business  Software  Alliance. 

Have  an  acceptable  use  guideline 
defined  in  your  policy  and  require  your 
staff  to  sign  on  to  it.  Make  sure  it  specifically 
calls  out  the  IT  and  security  team  members 
so  that  no  employee  feels  above  the  rules. 
You  should  also  have  a  change  control  pol¬ 
icy.  Good  change  control  processes  ensure 
your  staff  understands  how  and  when  it  is 
acceptable  to  introduce  new  software  and 


changes  into  your  computing  environment. 
A  change  control  policy  should  require  that, 
among  other  things: 

■  Any  system  changes,  including  new 
software  installations,  are  documented 
and  approved 

■  Configuration  management  documen¬ 
tation  is  updated  to  reflect  the  new 
state 

■  Changes  are  applied  only  by  autho¬ 
rized  personnel 

■  Changes  made  by  one  person  to 
security  appliances  and  devices  must 
be  reviewed  by  another  qualified  staff 
member. 

This  separation  of  duties  keeps  a  poten¬ 
tial  bad  apple  from  having  both  keys  to  the 
nuclear  missile.  The  military  calls  it  Two- 
Person  Integrity,  and  the  purpose  is  to  keep 
people  honest.  I’m  not  equating  an  illegal 
software  incident  with  something  as  criti¬ 
cal  as  nuclear  weapons,  but  we  all  take  a  hit 
in  credibility  when  people  start  wondering 
who’s  watching  the  watchers. 

Finally,  make  sure  you  have  a  policy  to 
conduct  background  checks  on  all  your  new 
hires  and  annual  checks  for  your  existing 


staff.  If  you  don’t,  you  are  asking  for  trou¬ 
ble.  You’d  think  that  in  a  large  government 
organization  this  would  be  standard  policy, 
right?  Wrong!  One  of  the  first  questions  I 
was  asked  about  this  employee  was  if  he’d 
had  a  background  check. 

Run  Good  Auditing  Tools 

You  need  to  run  security  tools  that  audit 
and  identify  when  unauthorized  software 
is  installed.  Symantec  Altiris,  LANDesk, 
Microsoft  Systems  Management  Server 
and  Novell  ZENworks  are  some  of  the  rep¬ 
resentative  tools  that  establish  the  heart  of 
software  asset  management  in  a  Windows 
environment.  In  addition  to  tracking  what 
software  is  installed  and  uninstalled,  these 
tools  track  licensing  and  report  on  inven¬ 
tory  management  and  usage.  Need  metrics? 
These  tools  give  you  all  you  need. 


Establish  a  Training  Program 

Make  sure  that  your  folks  get  regular 
refreshers  on  what  it  means  to  be  a  secu¬ 
rity  professional.  As  most  of  us  have  heard, 
“The  only  difference  between  a  security 
professional  and  a  bad  guy  is  permission.” 
Even  good  people  need  to  hear  this  every 
now  and  then.  It  reminds  them  not  to  cut 
comers.  I’ve  seen  people  get  so  caught  up  in 
resolving  a  problem  or  putting  something 
new  together  that  they  forget  their  overall 
responsibilities  and  jeopardize  their  careers 
by  circumventing  policy.  When  people 
get  caught  driving  drunk,  their  insurance 
rates  go  up  and  they  have  a  police  record.  It 
doesn’t  matter  if  they  are  solid  citizens  with 
no  prior  records.  The  same  goes  for  infor¬ 
mation  security  professionals.  It’s  awfully 
hard  to  get  a  job  with  the  black  mark  of 
unprofessional  conduct  on  your  resume. 

Develop  a  Code  of  Ethics 

Establish  a  code  of  ethics  for  your  security 
staff  and  have  them  read  and  sign  it  annu¬ 
ally.  I  do  this  so  that  my  security  team  will 
internalize  the  fact  that  they  are  held  to 
a  higher  standard.  They  have  access  and 


authority  that  few  other  IT  people  have.  I  set 
the  bar  high  so  that  my  staff  recognizes  that 
it’s  a  privilege  to  work  on  the  security  team. 
It  also  helps  us  hold  each  other  accountable. 
No  one  wants  to  have  his  credibility  stained 
by  a  team  member  exceeding  his  privileges 
and  bringing  discredit  upon  the  organiza¬ 
tion.  We  all  believe  that  we  have  smart  and 
dedicated  people,  but  an  annual  refresher 
goes  a  long  way  in  brushing  away  the  cob¬ 
webs  on  a  forgetful  memory. 

So  there  it  is.  Save  yourself  some  heart¬ 
ache  and  make  sure  your  people  under¬ 
stand  your  organization’s  policies,  but 
perhaps  more  important,  what  it  means  to 
be  a  security  professional.  ■ 


CSO  Undercover  is  written  anony¬ 
mously  by  a  real  CSO.  Send  feedback  to 
csoundercover@cxo.com. 


Good  change  control  processes 

ensure  your  staff  understands  how  and  when 
it  is  acceptable  to  introduce  new  software  and 
changes  into  your  computing  environment. 


November  2007  www.csoonline.com  45 


[  INDUSTRY  VIEW] 

By  David  Lawson  and  Donita  Prakash 


The  Risk  Portfolio 

A  holistic  approach  to  risk  management  pays  off 


When  you  approach  the 
topic  of  risk  within  an 
organization,  you  might 
think  it  parallels  that  of 
a  person  taking  out  life 
insurance.  In  that  case,  applicants  provide 
information  about  themselves  (age,  health 
issues)  and  the  insurance  company  uses 
actuarial  tables  based  on  a  hundred  years 
of  historical  averages  to  assess  the  level  of 
risk  and  cost  to  the  policyholder  per  year. 

Applying  the  same  logic  to  enterprise, 
risk  has  not  yet  proved  itself.  First  there  is 
the  lack  of  historical  data.  The  Internet  is 
just  10  to  15  years  old  in  terms  of  its  impact 
on  enterprise  security.  Data  on  the  regula¬ 
tion  of  financial  reporting,  security  of  cus¬ 
tomer  data  and  employee  behavior  patterns 
would  all  have  to  be  analyzed  to  create  an 
accurate  barometer. 

Additionally,  security  data  is  by  and 
large  outlier  data  because  outbreaks  that 
cause  significant  harm  are  still  pretty 
rare.  Given  the  number  of  enterprises  in 
the  world  and  the  number  of  systems  and 
processed  information,  a  handful  of  major 
events  doesn’t  become  statistically  signifi¬ 
cant  as  a  numerator.  That  being  said,  we  are 
also  getting  better  at  implementing  techni¬ 
cal  security  fixes  to  reduce  risk.  While  the 
bad  guys  will  often  be  one  step  ahead,  we 
as  risk  professionals  are  not  far  behind  in 
developing  countermeasures  and  mitigat¬ 
ing  the  threats  and  risks. 

However,  the  few  events  that  do  cause 
significant  harm  have  an  incredibly  large 
impact.  They  are  like  hurricanes,  earth¬ 
quakes  and  floods— disastrous  when  they 
happen.  These  types  of  events  require  that 
we  put  in  place  protections  to  predict,  mea¬ 
sure,  remediate  and  recover  from  incidents 
that  we  cannot  totally  avoid.  The  impact  is 


great  enough  to  warrant  addressing,  but 
the  events  are  so  rare  that  we  cannot  study 
or  predict  them.  An  example  is  that  of 
hacking  attempts.  One  year  your  enterprise 
might  be  the  target  of  an  abnormally  large 
number  of  attempts,  the  next  an  abnormally 
small  number.  The  controls  we  put  in  place 
do  not  affect  the  number  of  attempts. 

The  first  basic  rule  that  leaders  in  risk 
management  follow  is  to  trend.  Many 
organizations  get  caught  up  in  the  pure 


numbers  without  giving  thought  to  what 
they  are  counting.  We  don’t  care  how  many 
bands  of  barbarians  walk  by  the  castle  and 
throw  stones.  They  don’t  impact  our  secu¬ 
rity  and  are  not  important  to  trend.  Much 
more  important  is  how  well  we  attend  to 
the  few  attacks  that  penetrate  the  exterior. 
For  example,  how  quickly  do  we  stave  off 
the  virus  that  has  gotten  inside?  How  soon 
is  the  rest  of  the  enterprise  inoculated  and 
protected?  How  many  times  did  the  enter¬ 
prise  contain  the  damage  and  rebuild? 

A  mature  enterprise  will  follow  the 
data,  observe  the  directions  and  identify 
the  trends  to  determine  the  effectiveness  of 
its  security  controls  and  operations.  This 
information  is  actionable;  counting  for  the 
sake  of  counting  is  not. 

Our  clients  at  Fortune  500  companies 
and  federal  agencies  who  take  the  approach 


of  managing  an  enterprise  risk  portfolio 
have  had  the  best  measure  of  success  in 
understanding  and  controlling  their  risk 
with  limited  resources.  They  catalog  policies, 
procedures  and  systems  across  the  organi¬ 
zation  using  risk  management  software  (for 
example,  Archer  Technologies  SmartSuite 
Framework).  By  taking  this  inventory  and 
storing  it  in  a  consolidated  enterprise  risk 
management  system,  they  are  able  to  more 
effectively  manage  the  dynamic  nature  of 


risk  and  its  mercurial  impacts. 

While  we  can  see  the  trends  in  the 
breaches  and  impacts,  the  enterprise  can 
also  identify  those  areas  in  which  a  stra¬ 
tegic  approach  can  reduce  or  eliminate  a 
number  of  vulnerabilities  or  risks.  By  iden¬ 
tifying  those  changes  that  make  the  most 
impact  across  the  organization,  they  can 
effectively  prioritize  their  limited  resources 
and  maximize  the  effect  of  those  dollars 
spent.  The  most  rational  approach  at  the 
executive  level  is  to  identify  your  desired 
risk  posture  and  budget  for  expected  secu¬ 
rity  operations,  but  set  aside  an  emergency 
fund  to  handle  those  years  when  the  bar¬ 
barian  makes  it  into  the  keep.  ■ 


David  Lawson  is  Director  of  Risk  Management 
and  Donita  Prakash  is  Director  of  Marketing  at 
Acumen  Solutions. 


A  mature  enterprise  will  follow  the  data, 
observe  the  directions  and  identify  the  trends 
to  determine  the  effectiveness  of  its  security 
controls  and  operations.  This  information  is 
actionable;  counting  for  the  sake  of 
counting  is  not. 


46  www.csoonline.com  November  2007 


The  CSO  Executive  Seminar  Series  on 


PCI  Compliance 


Building  Privacy  &  Security  Into 
Your  Organization 


Thank  you  to  our  Chicago  sponsors. 

Gold  Sponsor: 


The  Security  Division  of  EMC 


Silver  Sponsors: 

^  security  □  imprivata’  §  Innovation* 

THE  APPLICATION  SECURiTY  COMPANY 


Presented  by: 

CSO 


Join  us  at  one  of  our  upcoming  events.  View  the  2008 
conference  calendar  at  www.CSOonline.com/conferences. 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 

24/7/365 


Be  Prepared! 

Employee  Awareness  Newsletter,  November  2007 


STAY  SAFE  AND  SECURE  OVER  THANKSGIVING 

A  friendly  reminder from  your  CSO 

Friends, 


department  wanted  tooff ers'ome  ““ 


U  - - jrvui  JCLUI 


* - /-u  JLUy  jaicanu  muie. 

0  avoid  long  waits  at  airport  security  checkpoints,  refrain  from  carrying  the  following  items- 
guns,  bombs,  liquids,  sharp  objects,  electronics,  metals,  plastics,  shoes,  clothes,  magazines  ’ 
os  uggage,  gourds,  waterfowl,  dull  objects,  nieces  and  nephews  and  Boone’s  Farm  wine 

■  ome  families  enjoy  homemade  eggnog  on  Thanksgiving  morning,  not  realizing 
they  re  about  10  salmonella  cells  away  from  an  intestinal  event.  Pasteurize' 

■  Durmg  dinner,  it’s  important  to  station  one  adult  at  the  kids’  table  to  handle  hot  dishes  and 

o'd  trips  to  the  burn  unit.  (This  adult  should  not  be  Uncle  Mike  or  whichever  relative  likes 
to  delight  the  kids’  table  by  squirting  mashed  potatoes  through  his 
serving  utensils  in  protective  sleeves  at  all  times  during  use  g 

"  Tbhv'chkn0nf,ianG ,IV tVi°'enCe  ^  Simi'ar  t0  W°rkplaCe  Vi0,ence’ You  mir|imize  family  crises 
y  osing  not  to  engage  aggressive  personalities.  Just  because  Uncle  Mark  save  the  r  h 
are  be„er  than  the  Patriots  doesn.,  mea„  yo„  have 

just  freakin  absurd!  Anyway,  walk  away  and  call  the  police. 

■  Remember:  Tryptophan  is  not  a  recreational  barbiturate.  (However,  Boone’s  Farm  wine  is ) 

Ian  to  leave  at  least  three  hours  between  dinner  and  dessert,  or  else  the 
ouch  football  game  could  end  in  a  reverse  intestinal  event 
«  special  note:  Some  of  you  may  be  curious  about  post-holiday  "sales-  on  Friday  This  is 
perfectly  harmless  fun  as  longas  you  take  the  necessary  precautions 

1.  initiate  heavy  cardiovascular  training  six  weeks  prior  and  bring  a  portable  defib  unit 

•  :  “ngMtTaS'  '"ClUding  ma"5’ Sh0PPins  anZr  in  s 

3.  Do  not  carry  credit  cards,  checks  or  cash.  Do  carry  a  whistle  and  mace 
no  later  t"han  ^a'tn  J  6  V0U  MoncfaY' wllen  our  access  logs  will  indicate  that  you’ve  arrived  back  at  work 


48  www.csoonline.com  November  2007 


Illustration  by  lmages.com 


Who  provides  the 
cyber  intelligence  that 
can  keep  your  company 
out  of  the  dark? 


Cyveillance.  The  world  leader  in  cyber  intelligence. 

Every  day,  new  threats  emerge  online  that  could  harm  the  very  core  of  your  business. 
That’s  why  industry  leaders  are  turning  to  Cyveillance  for  a  proven  intelligence-led 
approach  to  address  the  full  scope  of  today’s  online  risk  environment. 

From  malware  and  identity  theft,  to  phishing,  unlicensed  product  sales,  and 
corporate  espionage-Cyveiilance  covers  the  entire  spectrum  of  Internet  risks.  With 
the  most  comprehensive  Internet  monitoring  infrastructure,  a  real-time  portal,  and 
dedicated  support  from  cyber  intelligence  experts,  Cyveillance  gives  you  the  intelligence 
to  stop  threats  before  they  cause  harm. 

Don’t  depend  on  conventional  monitoring  solutions  to  keep  your  organization 
in  the  know.  Stay  on  top  of  online  threats  with  Cyveillance,  the  world  leader  in 
cyber  intelligence. 

Download  the  new  white  paper: 

Intelligence-Led  Security 

www.cyveillance.com/CSO 


It  all  begins  with  a  single  view  of  your  entire  IT  portfolio  — a  scenic  overlook  of  your  assets,  resources,  projects  and 
services.  From  there,  you  can  plan  better,  manage  better.  You  can  make  informed  decisions,  smart  trade-offs  and 
wise  investments.  In  short,  you  can  budget,  forecast  and  track  with  insight,  accuracy  and  verve.  Yes,  verve.  And 
that's  everything  you  need  to  translate  IT  value  into  terms  that  bring  nods  of  enlightenment  from  your  business 
partners.  To  learn  more,  download  the  white  paper  "Generating  Premium  Returns  on  IT  Investments"  at  ca.com/itg. 

ca 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
IT  Management 


